We are seeking an experienced Security GRC Specialist with in-depth expertise in PCI-DSS compliance and robust security fundamentals. This role will involve managing and conducting risk assessments, document reviews, and periodic audits to ensure compliance with relevant security frameworks. The ideal candidate will have at least 5 years of experience in GRC and security, along with a relevant certification such as CISSP.
Key Responsibilities:
- PCI-DSS and ISO 27001 Compliance: Lead and oversee initiatives for both PCI-DSS and ISO 27001 compliance. Ensure that all policies, processes, and procedures align with both frameworks and address ongoing compliance requirements.
- ISO 27001 Implementation: Develop, implement, and maintain an ISO 27001-compliant Information Security Management System (ISMS). Ensure regular reviews and updates to maintain ISO 27001 certification.
- Risk Assessment: Conduct risk assessments, develop risk treatment plans, and ensure effective implementation to mitigate identified risks in alignment with PCI-DSS and ISO 27001.
- Vendor Risk Assessment: Conduct thorough risk assessments of third-party vendors, assessing their security practices, compliance status, and potential impact on the organization's risk profile.
- Document Review: Review and update policies, procedures, and documentation related to security and compliance on a periodic basis.
- Audit Coordination: Collaborate with auditors, both internal and external, to facilitate a smooth and effective audit process. Act as a liaison between auditors and internal stakeholders to ensure compliance requirements are met.
- Stakeholder Management: Engage with key internal stakeholders, including IT, Operations, and Legal, to ensure alignment with security and compliance requirements.
- Compliance Reporting: Provide regular reports and updates to senior management on compliance status, risks, and action items.
Qualifications and Skills:
- Experience: Minimum of 5 years of relevant experience in security GRC, with a strong focus on PCI-DSS.
- Certifications: CISSP (Certified Information Systems Security Professional) is required. Additional certifications such as CISA, CISM, or PCI-DSS ISA/QSA will be advantageous.
- Technical Knowledge: Strong foundation in information security principles, security risk management, and control frameworks (e.g., ISO 27001, NIST, COBIT).
- Documentation Skills: Proficiency in creating and reviewing security documentation, policies, procedures, and audit artifacts.
- Audit Experience: Hands-on experience working with auditors and managing audit processes, preferably in PCI-DSS, ISO 27001, or similar regulatory standards.
- Communication: Strong interpersonal and communication skills to effectively liaise with technical and non-technical stakeholders.
- Problem-Solving: Demonstrated ability to assess and address security risks, compliance gaps, and operational inefficiencies.
- Knowledge of data protection and privacy regulations such as GDPR.
- Experience in security toolsets for GRC management and reporting.
- Familiarity with industry-standard GRC tools.