Governance/Risk & Compliance Lead - Information Security Team (8-15 Yrs)

Job Purpose
- The person appointed will be part of the Information Security Team and responsible for developing, implementing, and managing the Information Security GRC program to ensure compliance with regulatory requirements, industry standards, and organizational policies.
- Initiate, run and manage Information Security governance, risk management, audits, and compliance with relevant regulations.
- Plan, initiate, coordinate, and run the Governance, Risk & Compliance activities, as well as producing the reports and presenting them to the CISO.
- Coordinating the resolution of outstanding security and IT audit issues, and tracking the overall risk and audit points, to keep the company's security risk at acceptable level.
Key Responsibilities
- Develop GRC Operating Model - Enterprise Security Risk Management, Compliance Management, Policy Management, Security Awareness Trainings, Third Party Risk Management, Metrics & Reporting.
- Implements security controls, risk assessment framework, and program that align to regulatory requirements, ensuring documented and sustainable compliance aligned with the business objectives.
- Implement ISO 27001 and assist CISO in building the Information Security Management System (ISMS).
- Achieve and maintain ISO 27001 ISMS certification for the organisation.
- Develop a complete set of corporate Information Security policies and standards and continually monitoring the Information Security controls, KRIs/KPIs and technical landscape.
- Evaluates risks and develops security standards, procedures, and controls to manage risks.
- Improves security positioning through process improvement, policy, automation, and the continuous evolution of capabilities.
- Implements processes to automate and continuously monitor Information Security controls, exceptions, risks, testing.
- Develops reporting metrics, dashboards, and evidence artifacts.
- Defines and documents business process responsibilities and ownership of the controls in GRC tool.
- Schedules regular assessments, testing of effectiveness, efficiency of controls and creates GRC reports.
- Updates security controls and provides support to all stakeholders on security controls covering internal assessments, regulations, protecting Personally Identifying Information (PII) data, Digital Personal Data Protection (DPDP) Act, IT Act 2000, etc.
- Performs and investigates internal and external Information Security risk and exceptions assessments.
- Assess incidents, vulnerability management, scans, patching status, secure baselines, penetration test result, phishing, and social engineering tests and attacks.
- Documents and reports control failures and gaps to stakeholders.
- Provides remediation guidance and prepares management reports to track remediation activities.
- Remains current on best practices and technological advancements.
- Work with business, internal IT and 3rd party vendor teams to promote and adopt security best practices.
- Conduct regular Information Security risks reviews on IT assets and provision of exception/ exposure reporting & remediation plans to the CISO.
- Identify and communicate vulnerability and risk exposure to internal employees and key stakeholders, and senior management when deemed necessary.
- Review and ensure that new technology solutions and processes proposed comply with the Company's security policies as well as relevant regulations.
- Provide security requirements for new initiatives, perform and document gap analysis against such requirements.
- Participate in the development and maintenance of Information Security strategy, roadmap, and standards.
Experience
- 8-12 years of experience in Governance, Risk and Compliance including Risk assessment and management methodology.
- Knowledge of e-commerce industry applicable Information Security management, governance, and compliance principles, practices, laws, rules and regulations (GDPR, PCI-DSS, IT Act 2000, DPDP Act, etc).
- Understanding of Information security systems and processes, network infrastructure, data architecture, data processes, and protocols, cloud security standard frameworks, architecture, design, operations, controls, technology, solutions, service orchestration, Information systems auditing, monitoring, controlling, and assessment process.
- Functional knowledge of the security domains and Information Security industry standard and best practices.
- Functional knowledge of ISMS governance models (ISO 27001 & NIST), Information security roles and security controls.
- Manage Internal & External Audits and closure on audit findings.
- Ability to communicate risk methodologies and concepts to the business.
- Demonstrated experience with controls definition, development, implementation and assessment.
Key Competencies/Behaviours
- Proactive, Influencer, Collaborative.
- Multi-tasking and time-management skills, with the ability to prioritize tasks.
- Highly organized and detail oriented.
- Excellent analytical and problem-solving skills.
- Ability to understand the problem clearly and provide solution with excellent communication skills.
- Strong Project Management skills - Manage the project to ensure quality deliverables are produced within timelines.
- Good communication and inter-personal relationship skills.
- Ability to understand new technologies and learn quickly.