Information Security - Governance, Risk, and Compliance (GRC)
RiskSense is a leader in Cyber Security Threat Assessment and Remediation Management. If you join our team, you will be joining 80+ professionals dedicated to helping our clients better defend their networks and the data with which they have been entrusted. RiskSense is a multi-year winner of Technology Ventures Corporation's Flying 40 Award; a 4 year recipient of Albuquerque Business First's Fastest Growing Companies Award, a four year recipient of Inc. Magazine's Inc 5000 award and a 4 year participant in the New Mexico Private 100. We have proven 50% year over year revenue growth while maintaining profitability for the past 5 years.
General Summary of Job
As part of the GRC team, this role has a dual responsibility for developing, leading and performing GRC and information security functions and services for the company's internal processes and for the company's clients. Under the guidance and leadership of the SVP GRC / CSO, the position has the following responsibilities:
For client facing duties: this role is responsible for planning, coordinating, performing, and reporting on GRC/information security assessments and related services; developing and maintaining client relationships; providing GRC consulting services and expert advice / guidance to clients; performing risk assessments; developing incident response plans; and developing and performing GRC / Security training.
For Internal facing Duties: this position is responsible for assisting in the development, maintenance and management of the company's GRC and information security program, policies, standards and procedures; performing and updating risk assessments; monitoring compliance with and reviewing the effectiveness of information security policies and procedures; developing and providing GRC / security training. This position develops and monitors practices to ensure that the company’s systems are secure from unauthorized access, protected from inappropriate alteration, physically secure, and available to authorized users in a timely fashion.
KNOWLEDGE and EXPERIENCE
-Minimum five years of internal or external information technology audit experience and/or information security experience.
- Information Security and IT Compliance Body of Knowledge – in-depth to expert knowledge of various information security control frameworks, best practice standards, regulatory requirements, industry requirements for information security and IT related compliance requirements. Specifically, knowledge of NIST Special Publications 800 series, FISMA, HIPAA IT Security and Privacy, FFIEC IT Security, GLBA, ISO 27001 and 27002, COBIT, PCI DSS, Data Breach laws, CSA CCM cloud security controls and FedRAMP.
- AICPA SSAE and SOC Audits – familiar with SSAE 16 / SOC 2 audit requirements.
- Ability to analyze technology infrastructure, operations processes and internal controls to formulate cost-effective measures to improve control effectiveness and efficiency.
- Audit / Assessment Methodologies – Knowledge of IT audit standards and best practices, audit report writing, audit sample testing methods, internal controls for information technology.
- Ability to present assessment findings and recommendations in a manner that will be understood and accepted by all responsible parties.