Senior GRC and IT Risk Management Professional

Job Description Title: Senior GRC & IT Risk Management Professional Ekman Associates is a management consulting firm that specializes in developing business, digital, and technology strategy, delivering solutions, and addressing human resource demands. Summary: The Senior GRC & IT Risk Management Professional role is responsible for developing, integrating, and supporting GRC practices to ensure compliance and reduce risk factors. Key Skills:

• Ability to create an enterprise wide GRC program from scratch
• Strong Analytical and Communication Skills
• Knowledge of enterprise GRC, governance, and compliance principles, practices, laws, rules and regulation
• Understand GRC within an IT Security domain

• Create and implement an enterprise wide GRC program and processes (governance, risk and compliance), to automate and continuously monitor information security controls, exceptions, risks, testing. Develops reporting metrics, dashboards, and evidence artifacts.
• Implements security controls, risk assessment framework, and program that align to regulatory requirements.
• Evaluates risks and develops security standards, procedures, and controls to manage risks.
• Defines and documents business process responsibilities and ownership of the controls in GRC tool. Schedules regular assessments and testing of effectiveness and efficiency of controls and creates GRC reports.
• Performs internal and external information security risk and exceptions assessments.
• Assess incidents, vulnerability management, scans, patching status, secure baselines, penetration test result, phishing, and social engineering tests and attacks.
• Documents and reports control failures and gaps to stakeholders. Provides remediation guidance and prepares management reports to track remediation activities.
• Trains, guides, and acts as a resource on GRC functions to other departments .
• Performs other related duties as assigned.
• Develop and conduct Risk Assessments using leading frameworks; i.e., ISO, COBIT, NIST, etc.
• Review business and technical assessments questionnaires and evidence. Schedule and conduct review calls with business stakeholders and vendors.
• Document and communicate findings and observations to internal and external stakeholders
• Track open issues and related remediation execution (programmatic)
• Utilize a GRC tool as the central repository for risk and control information.
• Collaborate with internal stakeholders to develop continued program process improvements
• Report on assessment outcomes, risk levels , and remediation progress
• Continuously raise awareness on the program through training, info-sessions and interactions with business stakeholders, security teams, legal, etc.

• Bachelor's degree with a major in business or management information system or relevant experience
• Preferred certifications: CISSP, CISA, CIPP, CRISC, CEH, and/or CISM
• GRC( Security Risk Assessment & Risk Management), ISMS Audit, Gap Analysis, Incident Response Program, Security Awareness Program, Data Loss Prevention, Identity and Access Management, Vendor Assessment Program, IT Asset Management (ITAM), Physical Security, Key & Certificate Management, Patch Management, Vulnerability Management, Disaster Recovery, and Business Continuity Planning, Policy and Standard Development.
• Experience of working on GRC tools like ServiceNow/ Archer/ MetricStream, etc.
• Threat, Vulnerability, Business Continuity, and Risk Assessment
• National and International Regulatory Compliances and Frameworks such as NIST Cyber Security Framework, ISO, SOX, EU DPD, HIPAA, PCI DSS
• Compliance: PCI DSS, ISO 27001, SSAE18 SOC 2, HIPAA, HITRUST, SOX, NIST CSF, NIST 800, FFIEC, COBIT, NYDFS, CIS CSC, GDPR, CCPA.
• Preferred skills in Google Docs.
• Strong knowledge base in information security, risk management, privacy, operations, enterprise networking, systems evaluation, and architecture
• Strong analytic skills for problem analysis and resolution
• This individual requires strong written, verbal communication and organizational skills as they will be working on multiple projects.
• Experience in the development, implementation, and/or maintenance of a global enterprise IT and security risk and control framework.
• Experience with IT GRC platforms, including the ability to drive maturity and enhancements to the platform, tools, and methodologies.