IT Security Governance, Risk, and Compliance (GRC) Engineer

Overview

The Information Security Governance, Risk, and Compliance (GRC) Engineer plays an instrumental role in fulfilling Crocs, Inc.’s GRC strategies and processes. As a key member of the global GRC team, this engineer works directly with other stakeholders such as Legal, Risk, Internal Audit, etc. to ensure the alignment of the company's IT and Enterprise risk management framework with its business objectives and regulatory requirements.

The GRC Engineer possesses a combination of technical expertise, backgrounds in GRC and applicable frameworks, and situational awareness of global regulatory needs, to identify, track, and address potential risks, while proactively enhancing the company's overall GRC posture.

What You'll Do

Third Party Risk Management (TPRM)

• Build and maintain the chosen GRC platform to programmatically capture Cyber/IT risks, enabling timely analysis for risk control and reporting.
• Drive automation of TPRM processes including self-service questionnaires, evidence uploads, results evaluations, workflow facilitation, and other internal requirements through collaboration with key department stakeholders.
• Implement processes to automate and continuously monitor information security controls, exceptions, risks, and testing and establishing metrics, dashboards, and evidence artifacts.

Policy and Procedure Management

• Construct, maintain, and supervise implementation of Cybersecurity GRC Policies and Processes to ensure compliance with applicable laws, regulations, and industry standard frameworks including communications and training.
• Collaborate with partners from other core organizations (e.g., Legal, Audit) to ensure Cybersecurity and GRC components are accounted for in collaborative enterprise-wide policies, and processes.
• Define and document security process responsibilities, ownership of the tools tool’s controls, schedule regular assessments and testing for effectiveness and efficiency of controls and generate reports.

Audit and Compliance Management

• Coordinate with internal and external auditors to facilitate audits, ensuring IT and Enterprise compliance, and address potential issues proactively by working with stakeholders and Subject Matter Experts (SMEs) on deficiency remediation of audit or internal control findings.
• Guide IT and other Enterprise organizations to successfully achieve required compliance.
• Act as a point of contact for IT SOX Audit, working with the internal audit team and external auditors.
• Conduct user access reviews, certifications, and audits to ensure compliance with regulatory requirements and industry best practices
• Maintain the chosen GRC platform for managing, tracking, and reporting on Audit and Compliance findings.

Risk Management

• Maintain the Cybersecurity Risk Register and collaborate with other Risk stakeholders throughout the enterprise for inclusion in overall risk reporting and continuous monitoring.
• Work with business owners of known risks for remediation or compensating controls for policy adherence.
• Facilitate documentation and approval process for Risk Acceptance, in accordance with Cybersecurity policy and applicable frameworks.

What You'll Bring to the Table

• Bachelor’s degree or equivalent experience in Information Technology or related field. 
• 4+ years of confirmed experience in cybersecurity as a practitioner, with 2+ years in a GRC role.
• Experience working with other compliance driven teams such as Legal and Audit. An IT infrastructure background is a plus.
• Situational awareness of relevant laws and regulations and other applicable frameworks.
• Possessing strong Risk Management Skills to identify, analyze, and effectively mitigate or manage enterprise risks with knowledge of risk management frameworks and methodologies.
• Excellent written and verbal communication skills, with the ability to present complex GRC issues and strategies clearly to various stakeholders.
• Proficiency in analyzing complex data, interpreting compliance requirements, and crafting effective solutions.
• Ability to negotiate with, influence, and secure buy-in from various stakeholders, both internal and external, to achieve GRC objectives.
• Knowledge of GRC technology solutions, as well as a broad understanding of information security principles and best practices.
• A dedication to continuous learning; a commitment to keeping up to date with the latest developments in the GRC field, including evolving laws and regulations, emerging risks, and best practices in GRC management.