Description:
The information security GRC analyst, reporting to the Director Information Security GRC, will support the implementation and maintenance of the organization’s Governance, Risk, and Compliance (GRC) program, with a strong focus on third party security compliance, security governance, and internal controls. This role will contribute to maintaining a formally structured, risk-based security framework aligned with industry standards such as ISO 27001 and ISO 22301. The position requires a minimum of three years of information security experience in a similar position and excellent communication skills.
Essential Functions
- Oversee the cybersecurity compliance program for third parties, including:
- Managing requests from clients, prospects, auditors, cyber-insurers, or others, related to our security program, to ensure a timely and accurate response to security questionnaires and associated requests.
- Managing the compliance of the Firm's key IT vendors with information security, to ensure the initial security due diligence, annual security re-certification, and continuous monitoring of the vendors' security profile.
- Assist with the performance of important internal security processes and controls, including:
- Tracking status and following up with the person responsible to ensure key internal security tasks are conducted in time and as per the annual schedule.
- Maintain security dashboards, metrics, and reports as required for the team, the IT Department and senior management.
- Making suggestions and improving existing security standards and procedures.
- Conduct security tasks as required to maintain the Firm's ISO 27001 and ISO 22301 certifications:
- Conducting limited internal security audits; Collaborate with IT and business units to remediate compliance gaps; Maintain documentation related to compliance activities, controls, and audit findings; Assist with ad-hoc security investigations; Stay current on emerging regulations, standards, and industry trends.
Qualifications
- Bachelor's degree in information technology, computer Science, cybersecurity, or related field
- Minimum three years of experience in IT compliance, risk management, or information security
- Knowledge of regulatory frameworks (e.g., ISO 27001, ISO 22301, NIST)
- Experience with security risk management processes and compliance tools
- Outstanding oral and written communication skills
- Excellent interpersonal relationship skills
- High-level of attention to detail and accuracy
- High degree of personal initiative and maturity with an ability to work with minimal supervision
- Ability to prioritize tasks effectively, respect deadlines, and report any issues or conflict in the performance of operational activities, and the planning and scheduling of tasks and projects
- Professional certifications as follows are an asset
- CISSP, CISA, CISM, CRISC
- SANS/GIAC, CompTIA Security+, CEH