Governance Risk and Compliance Specialist (GRC) – Technology and Enterprise Risk

LeverageTek is actively seeking a Governance Risk and Compliance Specialist (GRC) – Technology and Enterprise Risk for a permanent position with its Ottawa-based customer.

Work Location

Hybrid preferred (1x/week onsite) or Remote (ON/QC)

Key Tasks

• Deliver new security program capabilities by leading IT security, GRC, and cloud technology projects; scope of projects may include IT selection and procurement, development of detailed project, resource, and communications plans, coordination with both IT and organizational change management, and providing task direction to other senior project team members
• Deliver daily operations for IT security risk and compliance management programs and associated governance frameworks, including but not limited to:
  • Complete IT security risk assessments and associated reporting
  • Perform GRC monitoring, reporting, and policy enforcement by making maximum effective use of automated available from Azure, Microsoft 365, and associated tools
  • Perform supply chain security assessments across IT products, SaaS and hosted services, and other 3rd party support services partners to ensure security controls are appropriate for business needs and the sensitivity of data involved
  • Develop and maintain reporting of key measures and metrics for IT security risk, prepare monthly, quarterly, and annual risk reporting artifacts, and support presentation of relevant material to management and executive stakeholders
  • Develop, implement, and maintain effective monitoring of external and internal cybersecurity threat context and impacts to risk posture
  • Conduct assessments of security posture, control implementation maturity, and conformance to security policies, standards, and guidelines – including coordination of 3rd party assessments and security penetration testing
  • Prepare reports, policies, standards, and other documentation of a high standard regarding cyber security guidance and/or requirements
  • Provide business impact context assessment and guidance related to IT resiliency for service continuity and disaster recovery
  • Participate in security incident responses as a member of the incident response team and support post-event root cause and risk analysis, providing recommendations towards continuous improvement and risk reduction
• Develop security policies and operational procedures, including for cybersecurity incident response processes and playbooks, security configuration management, security in system development lifecycle, etc.
• Provide IT security, risk, and compliance advisory support:
  • Within Technology Solutions to ensure security needs are addressed for all IT domains and to support the integration and continuous improvement of IT security risk and compliance management into IT architecture, engineering, software, system integration, and system development lifecycle processes
  • To the enterprise, including for domains of vendor and supply-chain security, project threat risk assessments, and operational risk inputs to enterprise risk management
• Provide high quality and customer-focused support to both IT and user/stakeholder clients by responding to requests and assignments in a timely, respectful, constructive, and responsive manner
• Perform other related duties as needed

Key Qualifications

• Recent experience in a Governance Risk and Compliance role supporting Enterprise Risk with a focus on Technology and IT Security
• Experience with Microsoft Purview supporting Enterprise-wide initiatives related to data protection (data loss and data leakage)
• Experience in a GRC capacity leading the Technology and IT Security risk function while also working very closely with other business stakeholders such as HR, Legal, Finance, Procurement, Vendor Management, Supply Chain etc.

Qualifications

• University degree in the field of Computer Science, Information Technology, or in a related discipline
• 2+ years of experience in security program implementation
• Delivering security and technology projects involving the implementation and deployment of new capabilities, transition of services to production operations, and successful adoption by users
• Developing effective IT security policy, standard, and guideline documentation
• Developing governance frameworks and associated documentation for IT security risk management or compliance programs
• Preparing risk, compliance, and/or security program reporting for senior management and/or Board stakeholders
• Selecting, implementing, and ensuring conformance with IT Security industry best practices and relevant standards and regulations (e.g., NIST Cybersecurity Framework, ISO/IEC 27001/2, COBIT, SOC 2, Information Security Forum, PCI-DSS, Cloud Security Alliance, SANS, CIS Benchmarks, etc.) 
• Assessing current state compliance against selected IT security and control frameworks, standards, or audit charter objectives
• Conducting security maturity and gap assessments against a desired target control posture state
• Conducting IT security threat and risk assessments (TRA) and preparing formal TRA reporting documentation
• Selecting, applying, and assessing security control implementation for:
  • Azure infrastructure services including virtual machines, network security groups, and network zoning
  • Azure native services, such as backup, encryption, and monitoring
  • Microsoft 365 services
  • On premise network infrastructures, including boundary protections, monitoring, and network zoning
  • Portable and mobile computing devices, including Windows and Mac laptops, and mobile iOS platforms
• Implementing, monitoring, and reporting from Azure and M365 portals and tools, such as Security Center, for supporting compliance, vulnerability management, and security score posture optimization
• Ability to lead complex IT and security implementation projects involving organization-wide rollout and that rely on successful adoption by key stakeholders and/or large user audiences
• Ability to deliver daily operational tasks that must be prioritized effectively around competing project and incident response demands
• Ability to successfully deliver a broad program of responsibilities and projects according to a multi-year implementation roadmap
• Expertise with Azure and Microsoft 365 security and compliance capabilities for control implementation and current state reporting of posture and compliance
• Ability to use critical thinking and problem-solving skills to find out root causes of problems or opportunities
• General knowledge of networking and IT security concepts and technologies
• Results oriented with excellent time and project management skills
• Strong ability to handle multiple concurrent and time-sensitive priorities, able to own and guide projects from beginning to end
• Demonstrated leadership skills with an ability to influence and positively inspire others to act
• Strategic thinking; creative, innovative, and collaborative out of the box thinker
• Leading and managing change

Assets

• Prior experience with Microsoft Purview, Microsoft Information Protection, or Azure Information Protection
• Developing future state security capability profiles and IT security strategy towards achieving desired future state
• Developing Disaster Recovery and IT resiliency preparedness, including conducting business impact assessments, developing business and/or service continuity plans, and developing or exercising disaster recovery plans
• Security operations and event investigations, security incident response, network or web application penetration testing, or digital forensics
• Applying IT security and compliance concepts to Google Cloud Platform (GCP) environments.
• Integrating IT security, compliance, and operations capabilities across multiple public cloud tenants

About LeverageTek IT Solutions

Thank you for taking the time to apply!  Since our company’s inception in March 2003, LeverageTek IT Solutions has worked resolutely to become one of the industry’s most recognized and trusted suppliers of technology staffing and business consulting services. With hundreds of successful engagements to our credit with many of Canada’s leading public and private sector organizations, we are the experts in identifying, deploying, and supporting IT and business talent on a contract, contract-to-hire, and permanent basis. We work with customers across all sectors including academia, aerospace, aviation, finance, government, health care, high tech, military, not-for-profit, and more.

Our responsive service and ability to deliver the right fit, on time and within budget, typically leads to repeat engagements and a long-standing relationship.

Accessibility accommodations are available upon request.