Job Description
Job Description
MUST HAVE EXPERIENCE WITH DFS500
The Security GRC Specialist - Regulatory and Audit Lead is an experienced professional in Information Security Governance, Risk management and Compliance functions.
The role involves performing security risk assessments and assessing compliance against cybersecurity related external (laws and regulations), internal (company policies) requirements and industry frameworks (NIST CSF, ISO 27001, FFIEC CAT) as well as working with other IT and security teams to implement security solutions, test the effectiveness of security controls, and document the compliance levels.
It is a key role to develop, deploy, and manage the security GRC framework.
ESSENTIAL JOB FUNCTIONS
Cybersecurity Regulatory Lead
Manage the regional cyber regulatory compliance program including : assessing requirements, communicating and working with internal stakeholders to ensure required controls are in place and supporting documentation is maintained.
Review controls implemented for appropriateness, effectiveness, and completeness. Assist, follow-up and report on any necessary remediation actions.
- Act as a subject matter expert for all DFS500-related matters and ensure the bank maintains and enhances its level of compliance with DFS500 requirements
- Assist during cyber regulatory examinations by preparing presentations, responses and associated artifacts
- Act as the subject matter expert to develop and maintain an effective FFIEC CAT framework for the bank
- Manage the FFIEC CAT inherent and maturity assessments
- Develop related reports and metrics
Security GRC Framework Specialist
- Maintain an in-depth understanding of the broad regulatory landscape impacting business and IT areas
- Understand the impact of laws and regulations on company systems and technology
- Map external and internal requirements against security controls in place
- Develop and implement the components of the security GRC Framework for mapping threats, vulnerabilities, risks, assets, stakeholders, assessments, standards, policies, controls into a holistic lifecycle to achieve Assess and Test Once, Report Multiple Times
- Actively manage the security GRC framework by :
- Performing various security risk assessments to identify residual risks and control gaps
- Ensuring clients, regulatory, and internal requirements are being met consistently and effectively
- Ensuring the required and expected controls are in place and working as they should
- Reviewing, and maintaining security policies, standards and procedures as needed
- Recommending tooling and process improvements of the Security GRC function, including automation
- Providing multi-level reporting to stakeholders in the company
- Build partnerships across the organization : Audit, Legal, Compliance, Information Technology, business operations, Risk management, etc.
to ensure the security GRC program is aligned with business objectives and requirements
Documentation, Reporting & Analytics
Contribute to the reporting framework that will provide regular metrics about our business and IT environment; analyze trends in security events, activities, etc.
to better understand risks, and current gaps.
KNOWLEDGE AND EXPERIENCE
- 8-10 years’ demonstrable experience in security GRC, security project management, and other security practices
- Working knowledge of relevant cybersecurity and data privacy regulations
- Knowledge of common security frameworks (NIST CSF, ISO 27001, COBIT, FFIEC CAT, etc.)
- Proficient with MS Office, project management processes, and at least one GRC tool (highly preferred to have experience with RSA Archer)
- Solid understanding of common security topics (e.g., application security, infrastructure security, vulnerability management, Identity and Access Management, data protection, cyber incident response, cloud security, etc.)
- Requires strong analytical skills, oral and written communication skills including documentation of requirements, problem solving skills, and project / program management skills and presentation skills
- Experience in managing risk and compliance (IT audit, IT or cyber risk management, regulatory compliance)
EDUCATION / CERTIFICATIONS
- Degree in IT, Computer Science, Cybersecurity, or related subject required
- Certified training in security management, risk and compliance solutions and practices
- Ability to work towards or has achieved at least one Information Security or Risk Management Certification (Security+, CISSP, CCSP, CCSK, CISA, CISM, GSEC, CRISC, etc.)