Provide direction and management for team members in the performance of IT Risk, Governanceand Compliance activities. Responsible for managing the process of identifying and assessingrisk, reducing it to an acceptable level, and follow through on risk remediation. Define thegovernance, risk and compliance program elements and the plan to monitor for activecompliance across the enterprise. Assist in the development and maintenance of IT GRCpolicies, procedures, baselines, and standards. Responsible for managing the process thatsafeguards the enterprise from control deficiencies, regulatory gaps and reputational risk.Responsible for supporting compliance initiatives, such as PCI-DSS and IT compliance withInternal Audit, through remediation tracking, exception processing and metrics reporting.Responsible for Incident Management procedures, Data preservation for eDiscovery andRegulatory activities, Disaster Recovery and Business Continuity procedures, Securityawareness training. Responsible for analysis and reporting of risk associated with new companyinitiatives and ongoing maintenance of an overall Risk Register and Compliance Calendar.
- Define the plan to identify and evaluate business and technology risks, internal controls which mitigate risks, and related opportunities for internal control improvement.
- Perform remediation, exception and risk acceptance efforts across the range of risk findings associated with diverse stakeholders across the enterprise.
- Coordinate risk mitigation plans with appropriate Society partners.
- Support the implementation of IT GRC tools and IT GRC projects to ensure that security controls are in place for the confidentiality, integrity and availability of ACS systems and data.
- Effectively manage, monitor and take action to ensure coordination and effectiveness of all
- Risk and Threat Management components and activities and decide on issues requiring escalation.
- Support the Security Incident and Event Management Plan.
- Develop, implement, and enhance audit and compliance tracking processes in order to ensure adherence to IT GRC policies and guidelines as well as regulatory compliance.
- Assist business and IT teams with solution vendor selection and technology selections, as required to address risk exposure.
- Establish effective IT disaster recovery and business continuity policies and procedures.
- Enterprise Identity and Access Management (IAM) governance through developing processes designed to accommodate the wide range of access needs.
- Perform information security and vulnerability assessments and penetration testing.- Provide timely communication and reporting related to security events (real time, trends),security incident management tracking and follow up.
- Apply broad in depth business and technical knowledge to establish technical direction and priorities.
- Resolve and work on issues across multiple functional areas.
- Develops, mentors and evaluates personnel to ensure efficient operations within the team.
- Other duties as assigned
- 8 (eight) + years of relevant Information Technology (IT) experience, with a minimum of 5 years’experience focusing on IT Risk, Governance and Compliance
- CISSP certification expected. Other advanced security, risk or governance certifications welcomed.
- CRISC or other IT risk-related certifications a plus.
- PCI-DSS audit experience is important. Lead auditor or Primary audit respondent, or current /former PCI QSA.
- Demonstrated knowledge of recognized IT audit-related standards and regulations.
- Demonstrated knowledge of recognized IT process and quality frameworks such as COBIT,COSO, ISO 27000, ITIL.
- Broad range of experience, including both technical and non-technical facets of IT internal controls and compliance, including logical and physical controls for applications, infrastructure and e-Commerce. Knowledge of industry best practices and standards for IT and Engineering development and deployment.
- Working knowledge of application development, server, and/or networking architecture components.
- Experience with risk analysis and securing of cloud-based solutions.
SKILLS:
- Strong analysis and process evaluation skills.
- Excellent problem solving skills.
- Able to develop policies focused on governance and security enforcement that are in alignment with an overall GRC strategy.
- Critical decision-making ability and experience.
- Ability to provide guidance to team members
- Ability to identify problems and resolve collaboratively with internal teams and vendor partners
- Ability to communicate clearly and compellingly to business staff, IT team and management
- Strong customer service behavior and continuous quality improvement orientation.
- Ability to maintain a high level of confidentiality.
- Excellent oral, written, and presentation communications skills.
SPECIAL MENTAL OR PHYSICAL DEMANDS:
- Work is normally performed in a typical interior/office work environment
- No or very little physical effort required
- No or very limited exposure to physical risk
- Self-motivated and able to organize work for others.
- Able to work quickly with attention to detail including high-pressure situations.
- Ability to communicate technical concepts to a broad range of technical and non-technical staff.
- Ability to travel when necessary
- Ability to work flexible hours including occasional nights and weekends
We are committed to providing staff with fulfilling opportunities to learn, grow and make an impact in their local communities. We offer staff a generous paid time off policy; medical, dental and retirement benefits, and professional development programs to enhance staff skills.