GRC Consultant (6-9 yrs)

Position - GRC Consultant

Location-Bangalore

Experience-6 to 9 years

Qualification-BE, Bsc or Related field

Position Overview:

We are seeking a motivated and skilled Information Security Risk Manager with a strong background in information security risk management to join our team. The successful candidate will play an essential role in executing and optimizing our organization's risk management framework, focusing on identifying, assessing, and mitigating information security risks. This mid-level role requires both technical knowledge and effective communication skills to articulate complex security concepts to varied stakeholders. The role demands an understanding of regulatory requirements (e.g., UAE Information Assurance) and industry standards (e.g., NIST Risk Management Framework (RMF), ISO 31000, ISO 27001) along with practical experience in information security and risk management.

1. Role Description:

a) Conduct Information Security Governance, Risk & Compliance (GRC) consulting projects for customers globally using various standards like PCI-DSS, ISO 27001, NIST CSF, COBIT, etc., specializing in risk management.

b) Define risk management methodology supported by a threat-vulnerability assessment in collaboration with key stakeholders within the organization.

c) Define, document, implement, and refine information security management frameworks within client organizations. This includes Information security strategy, policies, procedures, standards, guidelines, SOPs, forms, templates, etc.

d) Conduct comprehensive risk assessments in close coordination with internal and external stakeholders.

e) Assist in the implementation/maintenance of information security policies and procedures in compliance with governance, legal, contractual, or internal requirements. o Provide expert guidance to customer Information Security and other departments.

f) Conduct security risk assessments to enable informed decision-making by stakeholders while keeping business objectives paramount.

g) Review security aspects of business cases, IT application/infrastructure changes, project proposals, requirements, solution designs, and system architectures.

h) Create and promote security awareness campaigns and conduct information security awareness programs to enhance the information security knowledge of staff and management on the latest threats and vulnerabilities.

- Manage the assigned team, project management, and delivery management.

- Train the internal team on GRC & risk assessment.

- Participate in presales meetings with prospective customers and offer specialized GRC and risk management consulting services.

- Monitor and review information security compliance.

- Coordinate with the customer IT project management department, vendors, and consultants to build an effective security program.

- Lead annual planning, information security architecture, and governance reviews for customer organizations.

2. Key Responsibilities:

Risk Management:

1. Identify, assess, and prioritize information security risks across the organization.

2. Develop and maintain Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to monitor and measure risk levels and the effectiveness of risk management efforts.

3. Recommend and track the implementation of risk mitigation strategies and controls.

4. Conduct frequent risk assessments and reviews to ensure the effectiveness of controls.

5. Monitor and report on the status of risk management activities and initiatives.

6. Recommend enhancements to risk assessment methodology.

7. Maintain the risk register within the GRC platform, ensuring it is updated with high-quality, relevant content.

Governance:

1. Assist in enforcing information security policies, procedures, and standards.

2. Contribute to the maintenance of a governance framework for managing information security risks

Collaboration:

1. Provide expertise and guidance on information security matters to key stakeholders, fostering strong working relationships across departments.

2. Serve as a liaison and advisor to customer IT project management, vendors, and consultants.

Continuous Improvement:

1. Stay informed on emerging trends, threats, and technologies in information security.

2. Recommend and implement improvements to the risk management framework, tools, and methodologies.

Compliance & Risk Assessments:

1. Conduct independent security risk assessments to support informed decisionmaking aligned with business objectives.

2. Review the security aspects of business cases, IT applications, infrastructure changes, project proposals, requirements, solution designs, and system architectures.

3. Conduct ISO 27001, PCI-DSS, and other compliance assessments as needed, especially for banking information security audits.

Security Awareness:

1. Design and conduct innovative information security awareness programs to educate employees and management about current threats and security best practices.

2. Train and mentor the internal team and clients on GRC, risk assessment, and information security frameworks.

Project & Delivery Management:

1. Oversee project management and delivery for assigned teams, ensuring alignment with client requirements and quality standards.

Required Technical Skills:

Certifications:

Required: CISSP, CISA, CISM, CRISC, CGEIT, GRCP, or GRCA.

Good to have: ISO 27001 Lead Auditor, ISO 27001 Lead Implementer, IAPP Certified, CDPSE, CCSK, CCSP, CCAK, ISO 27701 privacy, ISO 20000, PCI QSA, ISO22301.

- Framework Knowledge: Familiarity with GRC standards/frameworks such as ISO 27001, NIST CSF, COBIT, ITIL, and regulatory requirements like UAE's NESA, RBI CSF, and SAMA CSF.

Experience:

- 6+ years in information security management and governance. Familiarity with systems, database, network, and application security. Knowledge of risk assessment approaches, policy formation, and security protocols.

- Experience with information security architectures and security assessments.

- Detailed experience with ISO 27001/2, PCI-DSS, GDPR, and other security frameworks.

- Experience in conducting risk assessments, especially in banking and finance.