The Associate Director/Manager, IT Governance, Risk, and Compliance (GRC) works within the Information Security Office to help with development and management of the GRC Program. In particular, this position is responsible for supporting the overall compliance and governance programs through obtaining and/or maintaining ongoing compliance with information security and data industry standards and regulatory requirements (i.e. HITRUST, HIPAA, PCI, 21 CFR Part 11, SSAE18, etc.). Specifically, the role will be responsible for facilitation of third party audits and attestation engagements, customer requests for information, and execution of risk and compliance assessments in support of readiness and monitoring in preparation of attest engagements. The role will oversee and execute these activities with the support and management responsibility over 1-3 staff members.
DUTIES AND RESPONSIBILITIES
Support and manage external IT-related attestation engagements, including HITRUST, SOX, SSAE18/SOC, SOX, PCI and similar; as well as others where required.
Complete customer security questionnaires and requests for information (RFIs).
Liase with external customers on IT and Information Security posture in support of existing relationships and requests for proposals (RFPs).
Develop and maintain strong business and technology relationships.
Liase with other internal regulatory subject matter experts such as Legal, Privacy, Internal Audit, and others as needed to ensure alignment with regulatory requirements.
Support internal, external, regulator, customer, or other IT audits and/or requests for information with Information Security scope as needed.
Support CAPA tracking process regultant from audits including assignment to IT issue owners and timely execution of mitigating actions.
Help ensure alignment of technology controls between industry standards/policy/regulatory requirements and critical business needs; and
Communicate effectively across multiple levels.
JOB QUALIFICATIONS / REQUIRED SKILLS:
7-10 years in Information Security, IT Audit/Governance/Risk/Compliance, or similar role. At least 3-4 years of management experience preferred.
Strong knowledge of information security governance, risk, and compliance programs.
Strong understanding and experience with requirements in regulated IT environments.
Proven project management and organizational skills, specifically managing multiple, concurrent projects.
Strong analytical background and technical skills with the ability to apply regulatory requirements to IT operational and technical controls.
Demonstrated leadership skills with ability to communicate effectively and collaborate strongly within a virtual team.
Excellent conceptual and critical thinking skills and sound judgment, with strategic orientation and ability to perform tactically, as required.
Experience and understanding of the functionality of GRC tools such as Archer is a plus.
Bachelors in business/technology or related field required; graduate degree preferred.
Certifications in one or more of the following areas preferred: CISSP, CISA, CISM, CRISC,