IT Governance, Risk, and Compliance (GRC) Manager

The responsibility of this job is to serve as the IT Governance, Risk, and Compliance (GRC) Manager in the enterprise Cybersecurity Operations team within the Information Technology (IT) Department.  This position supports the Senior Manager Cyber Security and Governance and IT Senior Management team to include the Director of Infrastructure, Director Business Software Applications, Director of Transformational Services in the daily operation of the governance, risk and compliance programs within the IT Department to meet the regulatory policies and guidelines required.

The IT Governance, Risk and Compliance (GRC) Manager will work with the team outlined above  and Third-Party vendor augmentation services to work with other functional areas to include the Chief Information Security Officer, Audit Department, Enterprise Risk Management Department in the management and reporting of the IT Governance, Risk, and Compliance posture of the IT Department  based on the appropriate policies and frameworks as identified by the regulations and senior management of the organization. This position will assist the Senior Manager of Cybersecurity and Governance with the day-to-day management of GRC activities including the quarterly reporting process, gathering, and analysis of risk metrics, performing the 1^st Line of Defense Risk Control Self Assessments, and maintenance of the Computer Risk Institute Profile within the appropriate regulations control library and system to ensure the appropriate policies and procedures are documented and assessed by the IT Department. The IT Governance, Risk, and Compliance (GRC) Manager will also work with the IT organization to assist the Sarbanes-Oxley Compliance Manager in support of the Sarbanes-Oxley compliance efforts, including performing and reviewing 1^st Line of Defense internal controls documentation and testing activities.

• Conducting and facilitating IT Risk Assessments and Risk Control Self Assessments
• Conducting IT Risk Appetite Statement, including metrics
• Coordinating IT GRC materials with Enterprise Risk, Compliance, and Audit as required
• Implementing and Maintaining the Computer Risk Institute (CRI) Control library in the appropriate GRC platform.
• Working with the IT Teams and Leadership to develop and maintain IT Policies and Procedures in alignment with the Computer Risk Institute (CRI) Profile and NIST CSF
• Working with the IT Teams and Leadership to develop and maintain the appropriate KPIs, KRIs, and Reporting to support the needs of the department to meet regulatory requirements.
• Conducting the 1^st Line of Defense Risk Assessment
• Coordinating with members of management for Change Management reporting
• Coordinating with Policy Management to ensure policies are reported to the appropriate committee for approval
• Managing the Third-Party IT GRC relationships and partners in support of the GRC program to include development, implementation, and control testing of the appropriate controls aligned with the CRI Profile and NIST CSF Framework
• Management of Third-Party or IT Department Control Testing and Testors and the automation of control testing using the appropriate GRC system.
• Perform additional duties as assigned.

• Knowledge in the daily implementation, support and auditing of networks, operating systems, and applications based on best practices and remediation techniques to address the identified issues.
• Experience using project management methodologies
• Administrative and security expertise in the implementation and support of network infrastructure to include routers, switches, load balancers, web application security, etc.
• Knowledge and Experience with IT Processes, procedures, quality assurance testing, and control testing
• Knowledge and Experience with implementing a GRC framework in an IT organization
• Leadership and Management skills to manage third-party vendors and employees.
• Team building, leadership and interaction skills to work well with other IT Teams and departments in the implementation and maintenance of the IT GRC Program
• B.S Degree in Information Technology, Information Security, Audit, etc. Preferred or 3-5 years of experience in IT Governance, Risk, and Compliance preferred
• Knowledge of Financial Sector security requirements and ability to interpret federal laws and regulations that govern IT Security in financial organizations (SOX, GLBA, FFEIC, NIST CSF, and Computer Risk Institute (CRI) is preferred.
• Knowledge of Financial Sector security requirements and ability to interpret federal laws and regulations that govern IT Security in financial organizations (SOX, GLBA, HIPPA, FFEIC, and NIST) is preferred.
• Experience with ITSM – ServiceNow ITSM preferred
• Experience with Project Management – ServiceNow Project Management preferred
• Experience with GRC platforms- AuditBoard, ServiceNow GRC preferred
• One or more industry certifications (CISA, CISM, CRISC, CGEIT) preferred

Physical Requirements/Working Conditions:  Must be able to sit for long periods of time and use computer keyboard and/or mouse, while viewing computer screens.

Note: This is a brief description of this position and is not limited to those described herein. Management retains the right to add, delete or modify any of these responsibilities at any time during employment.