Sr. IT Security Governance, Risk, and Compliance (GRC) Engineer

Overview

The Sr. Information Security, the Governance, Risk, and Compliance (GRC) Engineer plays an instrumental role in guiding the company's GRC strategies and processes. As the primary GRC authority in China, this leader works directly with other stakeholders such as Legal, Risk, Internal Audit, etc. to ensure the alignment of the company's IT and Enterprise risk management framework with its business objectives and regulatory requirements. The role will also supervise other APAC GRC engineers with regional compliance, assessment and remediation tracking.

The GRC Engineer possesses a combination of technical expertise, backgrounds in GRC, and applicable frameworks. They will identify, track, and address potential risks, while proactively enhancing the company's overall GRC posture.

What You'll Do

Third Party Risk Management (TPRM)

• Act as the primary regional point of contact for the IT Third Party Risk Management Program.
• Maintain the chosen GRC platform to programmatically capture Cyber/IT risks, enabling timely analysis for risk control and reporting.
• Implement security controls, risk assessment framework, and program that aligns to regulatory requirements, chosen frameworks, and other internal requirements through collaboration with key department stakeholders.
• Implement processes to automate and continuously monitor information security controls, exceptions, risks, and testing and establishing metrics, dashboards, and evidence artifacts.

Policy and Procedure Management

• Construct, maintain, and supervise implementation and adherence to regional Cybersecurity GRC Policies and Processes to ensure compliance with applicable laws, regulations, and industry standard frameworks including communications and training.
• Collaborate with partners from other core organizations (e.g., Legal, Audit) to ensure Cybersecurity and GRC components are accounted for in collaborative enterprise-wide policies, and processes.
• Define and document security process responsibilities, ownership of the tools tool’s controls, schedule regular assessments and testing for effectiveness and efficiency of controls and generate reports.

What You'll Do

Audit and Compliance Management

• Lead the analysis and implementation of any new regional regulatory requirements within the APAC region.
• Facilitate the China MLPS Certification program
• Assist with the South Korean ISMS Certification program
• Guide overarching data privacy programs in collaboration with regional Legal teams.
• Coordinate with internal and external auditors to facilitate audits, ensuring IT and Enterprise compliance, and address potential issues proactively by working with stakeholders and Subject Matter Experts (SMEs) on deficiency remediation of audit or internal control findings.
• Guide IT and other Enterprise organizations to successfully achieve required compliance.
• Maintain the chosen GRC platform for managing, tracking, and reporting on Audit and Compliance findings.

Risk Management

• Maintain the Cybersecurity Risk Register and collaborate with other Risk stakeholders throughout the enterprise for inclusion in overall risk reporting and continuous monitoring.
• Work with business owners of known risks for remediation or compensating controls for policy adherence.
• Facilitate documentation and approval process for Risk Acceptance, in accordance with Cybersecurity policy and applicable frameworks.

What You'll Bring to the Table

• Bachelor’s degree or equivalent experience in Information Technology or related field.  
• 6+ years of confirmed experience in cybersecurity as a practitioner, with 4+ years in a GRC role.
• Experience working with other compliance driven teams such as Legal and Audit. An IT infrastructure background is a plus.
• Ability to lead others in GRC compliance, assessment and remediation tracking.
• Situational awareness of relevant laws and regulations and other applicable frameworks.
• Possessing strong Risk Management Skills to identify, analyze, and effectively mitigate or manage enterprise risks with knowledge of risk management frameworks and methodologies.
• Strong ability to lead and manage the GRC function, develop and implement strategic plans, and guide the organization towards its GRC objectives. 
• Excellent written and verbal communication skills, with the ability to present complex GRC issues and strategies clearly to various stakeholders.
• Proficiency in analyzing complex data, interpreting compliance requirements, and crafting effective solutions.
• Ability to negotiate with, influence, and secure buy-in from various stakeholders, both internal and external, to achieve GRC objectives.
• Knowledge of GRC technology solutions, as well as a broad understanding of information security principles and best practices.
• A dedication to continuous learning; a commitment to keeping up to date with the latest developments in the GRC field, including evolving laws and regulations, emerging risks, and best practices in GRC management.