The Associate Director, Information Security GRC will manage the people, processes, and technology related to the company's security GRC group overseeing governance, risk, and compliance activities, such as client audit support, RFP response, internal IT audit, and contract review. To carry out the GRC activities in line with business objectives, regulatory requirements, and strategic goals, focusing on ensuring alignment with contractual requirements and recognised security frameworks.
You will be the process owner for all IS Security GRC-related projects and activities. You will assist the CISO in planning, developing, and overseeing the information security program, with a broad view of the effective integration of Security, Information Technology, new business development, the Office of General Counsel, and the professional responsibility group. In addition to providing ongoing governance and oversight of IS GRC operations, the role assists the CISO with maintaining strategic alignment with the business, engaging in security outreach and promotional activities, and providing expert guidance to internal and external constituents.
Responsibilities:
* Direct responsibility for all aspects of IS GRC
* Ensure continual improvement of the information security program via the effective application of technology, systems, processes, personnel, skill development, and leadership
* Provide security services that meet or exceed the professional, contractual, regulatory, and certification requirements
* Manage the IS GRC people, processes, and technology infrastructure, including the creation and review of IS GRC standards, guidelines, and operating procedures
* Serve as the business owner for common IS GRC toolsets, platforms, and processes
* Work with the business development team to accurately represent the information security program during client audits and RFP
* Guide Legal regarding acceptable contract terms and conditions
* Lead the System Governance Virtual Team, promoting continual ISMS improvement
* Provide direction on risk assessment requirements and assistance with evaluating risk treatment plans
* Define documentation requirements to ensure compliance with ISMS requirements
* Advises the team regarding client contractual requirements and commitments relative to GRC practices
* Work closely with the Security Operations and Engineering teams to define, develop, and facilitate efficient and effective service delivery to constituent organisations
* Oversee the operation of integrated vendor and other risk assessment activities with assistance from the technical teams.
* Meets published SLAs relative to the provisioning and support of GRC security operations and activities
* Understands policies and standards and is capable of conveying those requirements to end users in a professional and objective manner.
* Maintain the Information Security Management System (ISMS), including the creation and review of policies, standards, and procedures
* Enforce, monitor, and report on compliance with the ISMS
* Manages the security awareness program including ancillary functions such as phish testing and other constituent outreach programs
* Liaises with system and business owners to ensure that new platforms are compliant with security requirements
* Maintains assigned systems to ensure availability, reliability, and integrity, including the oversight of current and projected capacity, performance, and licensing
* Provide status reports and relevant metrics to the CISO
* Manage the security-related information repositories and contribute to marketing/awareness endeavours
* Maintain situational and environmental awareness and utilise that knowledge to implement appropriate tactics and strategies to protect the organisation and assist with roadmap development.
* Mentor and lead members of the Security GRC group by conducting effective performance reviews, suggesting development opportunities, establishing a culture of performance excellence, and maintaining the highest standards of ethical and professional care
* Participate in defining the DR/BCP practices as required
* Monitor changes in legislation and accreditation standards that affect information security
Skills and Experience:
* Thorough knowledge of professional management practices including supervisory techniques, leadership principles, and employment practices
* Proficiency in oral and written English; Excellent verbal and written communication skills, including public speaking, and ability to convey complex concepts to non-technical constituents
* Ability to think and communicate strategically regarding the role of information security in a successful global organisation
* Ability to quickly ascertain the current capability-maturity level of an organisation and use that information when responding to RFPs, audits, contract reviews, and internal operations
* Ensure you have a good understanding of at least one of the major EGRC/ITGRC platforms
* Comprehensive understanding of major information security frameworks such as NIST, CIS, ISO 27001/27002, and COBIT
* Familiarity with common regulatory schemes such as GDPR, PCI-DSS, GLBA, FISMA, HIPAA, and ITAR
* Advanced understanding of technical controls, how those controls address risk, and how they map to framework and regulatory requirements
* Broad understanding of TCP/IP, DNS, common network services, and other foundational topics
* Knowledge of server, workstation, and Active Directory technologies that affect security controls
* Understand common security monitoring technologies such as SIEM, IDS, log management, and vulnerability assessment concepts
* Ability to gather and analyse facts, conclude, define problems, and suggest solutions
* Ability to maintain objectivity and composure under pressure
* Capable of assisting with the creation of internal training materials and documentation
#4596830 - James O'Donoghue #J-18808-Ljbffr