Senior Associate for IT GRC for Noida

Job Description:

For a role that encompasses IT GRC (Governance, Risk, and Compliance) along with IT Security Audit
responsibilities, especially in the context of NIST, ISO 27001, SOC2, ITGC audit, RBI (Reserve Bank of India)
regulatory compliance, IT Security Compliance, Business Continuity Management (BCM), Disaster Recovery
(DR), and Vulnerability Assessment (VA), the roles and responsibilities would typically include:
Governance, Risk, and Compliance (GRC):
 Develop and maintain IT governance frameworks aligned with industry standards and regulatory
requirements.
 Establish and enforce policies, procedures, and controls to ensure compliance with applicable laws,
regulations, and standards.
 Coordinate risk assessment and management activities across the organization.
 Monitor and report on compliance status to senior management and stakeholders.
 Facilitate audits and assessments to verify adherence to compliance requirements.
 Implement continuous improvement initiatives to enhance the effectiveness of GRC processes.
IT Security Audit:
 Plan, coordinate, and conduct IT security audits based on regulatory requirements and industry best
practices.
 Perform risk-based assessments of IT systems, networks, and applications to identify security
vulnerabilities and weaknesses.
 Review and evaluate controls related to access management, change management, data protection,
and incident response.
 Document audit findings, including recommendations for remediation and improvement.
 Collaborate with internal and external auditors to facilitate audit engagements and address audit
findings.
 Track and monitor the implementation of audit recommendations to ensure timely resolution.
Regulatory Compliance:
 Interpret and apply relevant regulatory requirements, including NIST Cybersecurity Framework, ISO
27001, and RBI guidelines.
 Conduct gap assessments against regulatory requirements to identify areas of non-compliance and
develop remediation plans.
 Coordinate with business units and stakeholders to implement controls and measures to achieve
compliance objectives.
 Prepare documentation and evidence to demonstrate compliance with regulatory requirements.
 Stay informed about changes in regulations and standards and assess their impact on the
organization's compliance posture.
IT Security Compliance:

 Establish and maintain IT security policies, standards, and guidelines in accordance with regulatory
requirements and industry best practices.
 Conduct periodic reviews and assessments to ensure adherence to security policies and standards.
 Implement controls and measures to mitigate security risks and vulnerabilities.
 Monitor and analyse security events and incidents to detect and respond to security breaches.
 Provide guidance and support to business units on security compliance matters.
Business Continuity Management (BCM) and Disaster Recovery (DR):
 Develop and maintain business continuity and disaster recovery plans aligned with organizational
objectives and regulatory requirements.
 Run BCP/DR frameworks
 Conduct business impact analyses and risk assessments to identify critical business functions and
dependencies.
 Coordinate the development, testing, and maintenance of BCM and DR plans.
 Ensure alignment between BCM/DR plans and IT systems, applications, and infrastructure.
 Provide training and awareness programs to ensure effective response and recovery during
emergencies.
Vulnerability Assessment (VA):
 Plan and execute vulnerability assessment activities to identify security weaknesses and
vulnerabilities in IT infrastructure and applications.
 Utilize automated scanning tools and manual techniques to identify and prioritize vulnerabilities
based on risk.
 Analyse and interpret scan results to provide actionable recommendations for remediation.
 Coordinate remediation efforts with IT teams to address identified vulnerabilities in a timely manner.
 Monitor and track the status of vulnerability remediation efforts and report on progress to
stakeholders.
 In summary, this role involves a comprehensive approach to managing IT governance, risk, and
compliance, along with conducting IT security audits, ensuring compliance with regulatory
requirements such as NIST, ISO 27001, and RBI guidelines, and overseeing BCM, DR, and VA activities.
Effective communication, collaboration, and coordination with various stakeholders are essential for
success in this role.
Digital Personal Data Protection Act (DPDPA) and GDPR Compliance:
 Interpret and ensure compliance with the provisions of the Digital Personal Data Protection Act
(DPDPA) and the General Data Protection Regulation (GDPR), as applicable.
 Conduct data protection impact assessments (DPIAs) to identify and mitigate risks associated with the
processing of personal data.
 Develop and maintain data protection policies, procedures, and controls to safeguard the privacy and
confidentiality of personal data.
 Implement measures such as data encryption, pseudonymization, and access controls to protect
personal data from unauthorized access and disclosure.
 Establish mechanisms for obtaining and managing consent for the processing of personal data in
accordance with regulatory requirements.
 Monitor and respond to data subject requests (e.g., access requests, erasure requests) in compliance
with GDPR and DPDPA requirements.
 Facilitate training and awareness programs to ensure compliance with data protection regulations
and promote a culture of privacy within the organization.
 Collaborate with legal and compliance teams to address data protection issues and ensure alignment
with regulatory requirements.
 Maintain records of processing activities and data protection measures to demonstrate compliance
with GDPR and DPDPA obligations.
 Conduct regular audits and assessments to evaluate the effectiveness of data protection controls and
identify areas for improvement.
Competencies:

 Proactively contribute to leadership & handle work stress & people skills
 Strong analytical skills, problem solving skills, and project/program management skills
 Excellent communication skills working with all levels of management across the entire organization
 Ability to handle team strength and work cohesively
 Ability to act in Leadership position
 Work and stretch as required in corporate scenario
 Extrovert and Outspoken
Experience Needed:
 8+ years' demonstrable experience in IT security GRC management, IT security project management,
IT & Data security policy management, and other security practices w.r.t Cloud Infra , Basic IT infra
design and architecture
 Hands-on experience with designing, implementing and managing security IT GRC programs
 Past experience managing a small to mid-sized team
Educational Requirements:
 Bachelor's degree or equivalent business experience in Computer Science, Business Management.
 Certified training in IT & Data security management, risk and compliance solutions and practices.
CISSP, CISA, CISM, GSEC, CRISC, ISO 27K LA or related certification will be added advantage