IT Security Governance, Risk, and Compliance (GRC) Engineer

Overview

Reporting into Information Security, the Governance, Risk, and Compliance (GRC) Engineer plays an instrumental role in guiding GRC strategies and processes. As the primary GRC authority in India and supporting the global GRC team, this engineer works directly with other partners such as Legal, Risk, Internal Audit, etc. to ensure the alignment of the company's IT and Enterprise risk management framework with its business objectives and regulatory requirements. The GRC Engineer possesses a combination of technical expertise, background in GRC, and applicable frameworks. They will identify, track, and address potential risks, while proactively improving the company's overall GRC posture.

What You'll Do

Third Party Risk Management

• Act as a local point of contact for the IT Third Party Risk Management Program.
• Maintain the chosen GRC platform to programmatically capture Cyber/IT risks, timely analysis to enable risk control and reporting.
• Implement security controls, risk assessment framework, and program that aligns to regulatory requirements, chosen frameworks, and other internal requirements through collaboration with other key department partners.
• Implement processes to automate and continuously supervise information security controls, exceptions, risks, and testing. Develop performance measures, dashboards, and evidence artifacts.

Policy and Procedure Management

• Develop, maintain, and supervise implementation and adherence to regional Cybersecurity and GRC Policies and Processes to ensure compliance with applicable laws, regulations, and chosen industry standard frameworks including communications and training.
• Collaborate with partners from other core organizations (e.g., Legal, Audit) to ensure Cybersecurity and GRC components are accounted for in collaborative enterprise-wide policies, and processes.
• Define and detail security processes responsibilities and ownership of the controls in GRC tool. Schedule regular assessments and testing of effectiveness and efficiency of controls and build reports.

Audit and Compliance Management

• Assist with all global regulatory and compliance assessments to include ISMS, MLPS, GDPR, SOX, NIST CSF, and PCI.
• Develop and implement controls and documentation for all applicable security and/or privacy regulations within the APAC region.
• Coordinate with internal and external auditors to facilitate audits, with the goal of assuring IT and Enterprise compliance and addressing potential issues proactively.
• Guide IT and other Enterprise organizations to successfully achieve required compliance.
• Work with partners and Subject Matter Authorities on deficiency remediation as a result of audit or internal control findings

Risk Management

• Responsible for maintaining the Cybersecurity Risk Register and collaborating with other Risk collaborators throughout the enterprise for inclusion in overall risk reporting.
• Work with business owners of known risks for remediation or compensating controls for policy adherence.
• Facilitate documentation and approval process for Risk Acceptance, in accordance with Cybersecurity policy and applicable frameworks.

What You'll Bring to the Table

• Bachelor’s degree or equivalent experience in Information Technology or related field.
• 6+ years of confirmed experience in cybersecurity as a practitioner, with 2+ years in GRC role. Experience working with other compliance driven teams such as Legal, Audit, etc.
• In-depth Knowledge of Relevant Laws and Regulations and other applicable frameworks.
• Knowledge and experience implementing and auditing CIS controls.
• Risk Management Skills: Ability to identify, analyze, and optimally mitigate enterprise risks. Familiarity with risk management frameworks and methodologies.
• Critical Thinking and Leadership: Strong ability to lead and handle the GRC function, develop and complete strategic plans, and guide the organization towards its GRC objectives.
• Communication and Presentation Skills: Excellent written and verbal communication skills, with the ability to present sophisticated GRC issues and strategies clearly to various partners.
• Analytical Skills: Strong ability to analyze sophisticated data, interpret compliance requirements, and develop effective solutions.
• Negotiation and Influencing Skills: Ability to negotiate with, influence, and secure consensus from various partners, both internal and external, to achieve GRC objectives.
• IT Proficiency: Familiarity with the use of GRC technology solutions, as well as a broad understanding of information security principles and standard processes.
• Focus on staying updated with GRC field progress, including shifting laws and standard methodologies in GRC management.