GRC Program Manager

Job Summary: The GRC Program Manager has oversight responsibility for Information Technology (IT) security risk and controls for Information Technology and business processes. This role will develop and maintain policies, processes and procedures for IT, coordinating with other departments for enterprise-wide policies, processes and procedures.

Additionally, they will help develop and manage corporate-wide IT security and risk assessment programs and training for proactive risk management and control integration. This role is also responsible for preparation, support and remediation for audits and compliance reviews initiated internally or externally.

Essential Job Functions:

• Develop, implement, and maintain the information security program, risk and controls function.
• Collaborate and drive business and cyber risk program alignment across the enterprise, innovate and institute change to manage risk.
• Assist with the implementation and ongoing support for all security measures necessary to ensure Personally Identifiable Information (PII) is secure and all business requirements and applicable State and Federal regulations are met.
• Manage enterprise wide data governance framework, with a focus on improvement of organizational policies and standards, principles, governance metrics, processes, related tools and data architecture.
• Plan, execute, and manage multiple projects to budget, completing audits and business process control reviews.
• Review and test company-wide IT Security & Controls processes to assess business risks, controls, and the overall effectiveness.
• Develop and execute project and vendor risk assessments, recommend risk mitigation techniques, and identify opportunities for security and control improvements.
• Maintain active communication with project teams and vendors, managing expectations and ensuring adherence to policies.
• Work with and support leadership and team members to achieve goals of the IT Security and Controls team.
• Act as the key contact for client Governance, Risk Management and Compliance (GRC) team.
• Create and update content for compliance and privacy training, facilitating sessions for employees and contractors as needed.
• Stay current on the ever-changing information security and privacy landscape, ensuring all policies and controls are relevant.

Minimum Qualifications and Job Requirements:

• Multi-disciplined experience within an IT environment (7+ years).
• Information security, privacy and information protection leadership experience (5 years).
• IT Security & Controls policy and compliance enforcement experience.
• Experience successfully scoping, planning and driving technology development projects.
• Experience creating and enforcing security policies for the Enterprise and our Suppliers.
• ISO information security experience is a plus.
• Audit experience

Skills, Knowledge, and Abilities:

• Proactively problem-solve and multitask while maintaining composure and attention to detail.
• Follow-through mindset to uphold a ‘close the loop’ culture.
• A positive approach to serving customers and providing exceptional customer service.
• Ability to demonstrate good judgment, high ethics and project a professional image.
• Ability to work independently and as a collaborative team member with a positive ‘can do’ attitude.
• The drive to identify and seize opportunities for continuous improvement as business needs change.
• Excellent organization, flexibility and time management skills and the ability to work in a dynamic, deadline-driven environment.
• Exceptional interpersonal and business communication skills (written, verbal, listening).

Other Responsibilities:

• Abide by the policies, procedures, and Code of Conduct of the company.
• Handle personal information (“PI”) that pertains to any individual (e.g., leads, dealers, employees, job applicants, etc.) in accordance with client Privacy Policy and public facing privacy statements on client managed websites.
• Complete any required training.
• Promptly report any known or suspected loss, theft or unauthorized disclosure or use of PI to the General Counsel/Chief Compliance Officer or Chief Information Officer.
• Adhere to the company’s compliance program.
• Safeguard the company’s intellectual property, information, and assets.
• Other duties as assigned.