Senior InfoSec GRC Specialist

The Senior InfoSec GRC Specialist is crucial for managing security inquiries, responding to RFPs, and addressing customer security concerns. This role involves optimizing security customer engagement, identifying and assessing risks, implementing controls, and formalizing agreements. They are responsible for communicating security strategies, policies, and awareness campaigns, ensuring global business unit compliance with frameworks, and reviewing vendor engagement terms while documenting deviations.

Must Have

• Assists in producing responses to security questions in RFPs or customer assessments.
• Acts as first point of escalation for security/compliance questions for customers.
• Reviews third-party vendors for security and compliance controls.
• Manages/oversees annual SOC2 & ISO27001 audits.
• Contributes to annual InfoSec Policies review/edits/updates.
• Reviews client engagement terms and conditions, applying company risk profile.
• Identifies efficiency improvements in the security customer engagement process.
• Communicates strategies, standards, policies, procedures, and awareness efforts.
• Ensures compliance of global business units with applicable frameworks.
• Knowledge of SOC2 and ISO 27001 control frameworks.
• Knowledge of risk frameworks and risk management processes.
• Experienced in Atlassian (JIRA) and proficient in Microsoft Office.
• 7+ years of role-specific experience.
• Demonstrated experience in owning, managing, and responding to Client/Prospect Security Assessments.
• Experience working with Third Party Risk Management/Vendor Assessment tasks.
• Demonstrated experience with SOC 1, SOC 2, and/or ISO 27001 audits and monitoring control activities.
• Experience in owning/editing/contributing to Information Security Policies.

The Senior InfoSec GRC Specialist plays a pivotal role across multiple dimensions. They are instrumental in crafting responses to security inquiries within "request for proposals" (RFPs) and ensuring their prompt delivery. As the initial point of contact for addressing customer security concerns, they actively seek avenues to optimize the efficiency of the security customer engagement process. Moreover, they utilize structured methods and protocols to identify and assess risk, implement pertinent controls, formalize agreements, and diligently follow through on necessary procedures. Effective communication is at the core of their responsibilities, encompassing the dissemination of strategies, standards, policies, procedures, and awareness campaigns to all business partners. They take purposeful actions to guarantee global business units' compliance with relevant frameworks and conduct comprehensive reviews of proposed vendor engagement terms and conditions. Additionally, they apply the company's risk profile, offer pertinent feedback, and meticulously document any deviations from the established processes.

Responsibilities:

• Assists in the production of response to security questions in “request for proposals” (RFP’s) or customer assessments (Due Diligence Questionnaires).
• Acts as first point of escalation for security/compliance questions for current and prospective customers.
• Review third party vendors for security and compliance controls; assesses risk based on a given risk assessment framework (Third Party Risk Management/Vendor Assessment).
• Assists and/or takes the lead in managing/overseeing annual SOC2 & ISO27001 audits.
• Contributes in annual InfoSec Policies review/edits/updates and provides considered input.
• Review proposed client engagement terms and conditions and apply the company risk profile, providing the appropriate feedback as to any changes needed and documenting exceptions to the process.
• Assists in the collation of Enterprise Risk, control and mitigation updates, along with KRIs.
• Identifies efficiency improvements in the security customer engagement process.
• Communicates strategies, standards, policies, procedures, communications, and awareness efforts with all business partners.
• Takes actions as directed to ensure compliance of global business units in actions necessary to ensure compliance with applicable frameworks.
• Keeps up to date with evolving regulations and legislation related to privacy and security as they pertain to Clearwater.
• Ability to manage time effectively by hitting assigned deadlines and milestones.
• Requires minimum supervision to work on daily tickets and tasks, can use documentation and team resources to complete most tasks.
• Capably resolves all but the most complex operational issues without the need for escalation.
• Willingness and ability to maintain a positive, quality-oriented, reliable and flexible attitude.
• Actively seeks opportunities for improving key processes and systems without requiring daily direction.
• Demonstrates the ability to take on an assignment, project, or problem and lead, define, and implement a solution to completion.

Requirements:

• Knowledge of SOC2 and ISO 27001 control frameworks.
• Knowledge of risk frameworks and risk management processes.
• Ability to work effectively in a team environment and across all organizational levels, where flexibility, collaboration, and adaptability are important.
• Excellent attention to detail and strong documentation skills.
• Excellent verbal, written and interpersonal communication skills.
• Experienced in Atlassian (JIRA) and proficient in Microsoft Office.

Experience:

• 7+ years of role-specific experience, preferred
• Demonstrated experience in owning, managing and responding to Client/Prospect Security Assessments (DDQs, RFPs etc.).
• Experience working with Third Party Risk Management/Vendor Assessment tasks.
• Demonstrated experience with SOC 1, SOC 2, and/or ISO 27001 audits and monitoring control activities.
• Experience in owning/editing/contributing to Information Security Policies.
• Experience performing or undergoing internal and external audits.
• Experience with compliance, audit, or operations including development of internal controls, policies, and procedures.
• Experience assisting in risk management processes, control frameworks, KRIs.
• Experience communicating technical controls and processes with customers and stakeholders.
• Demonstrated professional application of information security, compliance, assurance and/or other security practices and principles.