Manager/Lead - GRC Operations - Information Security Team

Designation & Profile - Manager

Role Purpose :

- The person appointed will be part of the information Security Team and responsible for the management, implementation, and monitoring of Information Security Policies.

- Have a proactive responsibility to deliver secure systems and implement proportionate controls by working with Product, Change, Risk, IT teams and 3rd party vendors.

Qualification :

- Bachelor of Engineering /Technology (BE/B Tech), Any security Certifications CISM, CISA

- Information Security Management Implementation and monitoring of security policies, frameworks, and controls.

- Risk Assessment & Compliance Expertise in GRC (Governance, Risk, and Compliance), security audits, and regulatory compliance (ISO 27001, NIST, GDPR, etc.).

- Security Controls & Frameworks Knowledge of CIS Controls, NIST Cybersecurity Framework, and other industry standards.

- Threat & Vulnerability Management Hands-on experience with vulnerability assessments, penetration testing, and incident response.

- Identity & Access Management (IAM) Experience in role-based access controls, identity governance, and authentication mechanisms.

- Cloud Security Understanding of security best practices for AWS, Azure, and GCP environments.

- Data Protection & Privacy Expertise in securing Personally Identifiable Information (PII) and implementing data encryption techniques.

- Security Operations & Monitoring Knowledge of SIEM tools (Splunk, QRadar, ArcSight) for continuous monitoring and threat detection.

- Third-Party Risk Management Evaluating and managing security risks related to vendors and suppliers.

- Security Automation & Reporting Familiarity with automation tools for compliance monitoring, risk assessment, and security analytics.

Roles and responsibilities:

- Implements security controls, risk assessment framework, and program that align to regulatory requirements, ensuring documented and sustainable compliance that aligns and advances business objectives.

- Evaluates risks and develops security standards, procedures, and controls to manage risks. Improves security positioning through process improvement, policy, automation, and the continuous evolution of capabilities.

- Implements processes, such as GRC (governance, risk and compliance), to automate and continuously monitor information security controls, exceptions, risks, testing. Develops reporting metrics, dashboards, and evidence artifacts.

- Updates security controls and provides support to all stakeholders on security controls covering internal assessments, regulations, protecting Personally Identifying Information (PII) data.

- Performs and investigates internal and external information security risk and exceptions assessments. Assess incidents, vulnerability management, scans, patching status, secure baselines, penetration test result, phishing, and

social engineering tests and attacks.

- Documents and reports control failures and gaps to stakeholders. Provides remediation guidance and prepares management reports to track remediation activities.

- Facilitates the remediation of control gaps and escalates critical issues to leadership. Manages an exception review and approval process, and assures exceptions are documented and periodically reviewed.

- Works closely with control owners and internal and external auditors to ensure requests are completed in a timely manner. Assists with the evaluation of the effectiveness of the information security program by developing, monitoring, gathering, and analyzing information security and compliance metrics for management.

- Identifies, analyzes, evaluates, and documents information security risks and controls based on established risk criteria.

- Conducts security risk assessments of planned and installed information systems to identify vulnerabilities and risks.

- Recommends controls to mitigate security risks identified via risk assessment process. Communicates risk findings and recommendations that are clear and actionable by business stakeholders.

- Researches, recommends, and contributes to information security polices, standards, and procedures. Assists with the lifecycle management of information security policies and supporting documents.

- Performs third-party supplier risk assessments to ensure supply chain risk is managed throughout the supplier's lifecycle. Assesses and reports on the risks and benefits for the business as well as mandates for supplier compliance.

- Assists with review of information security sections within supplier contracts, identifies gaps, and recommends security and data privacy content to close gaps.

- Maintains inventory of relevant suppliers/vendors, controls, and risks for ongoing vendor risk management activities