GRC Engineer

About the position

The GRC (Governance, Risk, and Compliance) Engineer is responsible for participating in the information security program to ensure that information assets and associated technology, applications, systems, infrastructure, and processes are adequately protected. The GRC engineer is responsible for identifying, evaluating, and reporting on information security risk to information assets. The GRC engineer will proactively work with business units and partners to assess and design controls to reduce information security risk. The GRC engineer should understand and articulate the impact of information security controls on the business and be able to communicate this to stakeholders. The GRC engineer must be knowledgeable about both internal and external business environments and ensure that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory, and contractual obligations.

Responsibilities

• Assist in managing a targeted information security awareness training program for all staff and affiliates; establish metrics to measure the effectiveness of this security training program for the different audiences.
• Understand and interact with other business units to ensure the consistent application of policies and standards across all technology projects, systems and services, including risk management and compliance.
• Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls.
• Participate in a risk-based process for the assessment and mitigation of any information security risk in the organization (including vendors, business partners and other third parties).
• Assist in managing a governance, risk, and compliance platform to facilitate risk management and incident management. Integrate platform with other systems and data sources.
• Facilitate the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of remediation efforts.
• Consult with project managers to ensure that security is embedded in the project delivery process by providing the appropriate information security policies, practices, and guidelines.
• Act as a member of the IIRP during information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the organization's reputation.
• Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action.
• Facilitate periodic security compliance reviews and audits of on-premises and hosted environments, including AWS and Azure.
• Maintain compliance documentation, including managing and tracking policy exceptions.
• Assist in managing security awareness training.
• Assist in the assessment and review of new and existing technology infrastructure to ensure adequate levels of control are in place to address identified risks and develop risk mitigation techniques and processes when necessary.
• Assist in the development and ongoing oversight of a robust vulnerability management program.
• Conduct risk assessments on business and IT operational processes, procedures, and policies; interpret audit results and make conclusions on the adequacy and reliability of controls; prepare and present reports, as necessary.
• Develop and manage reports using business intelligence tools.
• Stay informed about current security and privacy laws and provide guidance to the team when evaluating new projects; and perform other duties as assigned.

Requirements

• Bachelor's degree or equivalent work experience in a technical discipline related to Information Technology
• Minimum 7 years hands-on information security experience, including experience conducting technical and non-technical risk assessments
• Strong knowledge of information security risk management and information security technologies (e.g. SIEM, vulnerability management, data loss prevention, and/or endpoint protection)
• Proven track record and experience interpreting information security policies and procedures and successfully communicating with non-security workforce.
• Excellent interpersonal skills, presentation skills, and verbal / written communication skills
• Understanding of compliance and regulatory requirements such as HIPAA and PCI
• Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework
• Organized, responsive, and thorough problem solver
• Ability to work collaboratively with a broad range of staff
• High degree of initiative, dependability, and ability to work with little supervision while being resilient to change
• Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
• High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity

Nice-to-haves

• Experience hardening/securing virtualization technologies, databases, and operating systems (Windows/Linux) utilizing industry best practices
• Knowledge of networking concepts (routing, switching, VLANs, ACLs), systems administration or development.
• Experience coding including use of APIs
• Familiarity with information security policies, standards, industry best practices, and frameworks. (ISO 27K, NIST 800-53, CIS, HITRUST, etc.)
• General information security certification (e.g., CISSP, CISA, etc.)
• Experience with Infrastructure as a Service (IaaS), such as AWS or Azure
• Knowledge of industry best practices related to security concepts

Benefits

• Medical/Vision
• Dental
• Flexible spending accounts
• Life insurance
• Disability insurance
• Retirement
• Family life support
• Employee assistance program
• Onsite health clinic
• Tuition reimbursement
• Paid vacation (12-22 days per year)
• Paid sick leave (12-25 days per year)
• Paid holidays (13 days per year)
• Paid parental leave (up to 4 weeks)
• Partially paid sabbatical leave (up to 6 months)