Job Description: Asst. Manager InfoSec – Governance, Risk and Compliance (GRC)
Overview of Role: The Asst. Manager – InfoSec GRC is responsible for assessing and documenting SMC compliance and risk
posture as they relate to its information assets.
The incumbent provide directions, coordinates and performs SMC security assessment functions and control testing
reporting and activities in accordance with SMC Internal Controls compliance, regulatory and departmental policy and
procedures. The InfoSec GRC Asst. Manager updates and maintains control matrices and spreadsheets and provides
recommendations for management’s consideration. This position ensures compliance with SMC internal controls, regulatory
and information security policies and procedures. The incumbent works with external audit firms, and regulatory agencies to
provide supportive documentation as applicable. The incumbent takes a lead role in ensuring the security of all protected
information collected, used, maintained, or released by SMC.
Duties and Responsibilities:
Perform other duties as assigned to ensure the smooth functioning of the department and maintain the
reputation of the organization as a viable business partner.
Recommend programmatic and technical directions and operate with a high degree of independence in
matters relating to the investigation, impact, and analysis of security incidents, decisions regarding risk, and
measures for computer and network security.
Lead the development and implementation of the organization-wide risk management function of the
information security program to ensure information security risks are identified and monitored.
Internally assess, evaluate and make recommendations to management regarding the adequacy of the
security controls for the Company's information and technology systems.
Evaluate vendor risk; participate in the vendor management process.
Lead the organization-wide information security compliance program, ensuring IT activities, processes, and
procedures meet defined requirements, policies and regulations.
Assist in the development and implementation of effective and reasonable policies and practices to secure
protected and sensitive data and ensure information security and compliance with relevant legislation and
legal interpretation and alignment with business objectives.
Execute strategy for dealing with increasing number of audits, compliance checks and external assessment
processes from customers and external auditors relating to effective security practices, ISO 27001/2, SOC 2.
Interacts in both oral and written communications with all levels of Company staff including; IT,
engineering,senior leadership, general counsel, auditors, customers, and technology vendors and
contractors, in matters related to information security.
Work with customers, external auditors, and outside consultants as appropriate on required security
assessments and audits.
Coordinate and track all information technology and security related audits including scope of audits,
parties involved, timelines, auditing agencies and outcomes. Work with auditors as appropriate to keep
audit focus in scope, maintain excellent relationships with audit entities and provide a consistent
perspective that continually puts the organization in its best light. Provide guidance, evaluation and
advocacy on audit responses.
Problem-Solving Skills
Must be able to assess computer hardware, software, and systems for security risks or violations and work
with company staff and technology vendors to recommend solutions. Must be able to assess the status of
complex multi-location projects as well as identify and track appropriate corrective measures to resolve
issues as they arise. Must have a strong customer service orientation and the ability to project that attitude
to customers in remote locations.
Manage the security awareness training program and strategies to address awareness and training for all
stakeholders as well as technical solutions.
Assist in the development and implementation of Business Continuity Planning and testing, Incident
Response and Disaster Recovery.
Qualifications
6 plus years of advanced IT skills with a high level of information security experience and expertise
Knowledge of information security risk management frameworks and compliance practices, including ISO
27005.
Knowledge ofsecuring network technologies, client, and server operating systems.
Ability to develop security standards and guidelines based on best practices and industry standards
Excellent interpersonal, communication, and presentation skills, including formal report writing experience
Understanding of common security and privacy standards, regulations, and laws relating to a cloud software
development company (e.g., SOC 2, ISO 27001/2, GDPR)
Security awareness training
Preferred Qualifications
Bachelor’s degree in information technology or other related field
Skills in documenting risk and compliance activities
Desirable Information security related training or certifications such as ISO 27001, CISSP, CRISC, or CISA.
Experience performing information security audits or risk assessments
Familiarity with security auditing processes
An understanding of policy development and dissemination.