The Senior Security GRC Lead Auditor will plan and execute audits of the firm’s information technology environment, including the annual ISO 27001 audits, preparation of client audit responses, and the execution of third party vendor audits on behalf of the firm.
The Senior Security GRC (Governance, Risk and Compliance) Lead Auditor provides technical and thought leadership in the continual improvement of the firm's ISMS; including audit, risk management, records management, and monitoring control systems. 
  • Lead all aspects of the ISO 27001 audit function; including planning, audit program development, control analysis, testing, issue development, and reporting
  • Manage GRC platform administration. Administer periodic risk assessments, track issues/action plans and drive risk remediation actions to completion.  Ensure GRC platform configuration and reporting is in line with Firm compliance requirements
  • Respond to client information security audits in a timely, accurate, and effective manner
  • Provide effective responses to client Request for Proposals and Requests for Information in support of the business development function
  • Ensure that scoped systems are monitored and audited relative to the requirements set forth in the firm's ISMS
  • Report on compliance with the firm’s information security policies and procedures
  • Monitor control systems to ensure that appropriate information access levels and security clearances are maintained
  • Provide guidance and support for the System Governance Virtual Team
  • Coordinate internal and external audit engagements with constituents
  • Provide status reports to the Information Security Team Associate Director  and other ISMS stakeholders
  • Maintain records of audit findings and ensure that corrective actions are implemented per the agreed remediation schedule
  • Develop standardized responses and documentation for external audits
  • Develop and provide metrics evaluating the effectiveness of the Information Security function, and Information Security Team's compliance with assigned ISMS responsibilities
  • Provide guidance to Legal regarding acceptable contract terms and conditions
  • Review and redline security schedules and other security requirements associated with proposed client contracts 
  • Provide input into policies, standards and procedures.  Author standards and procedures designed to safeguard sensitive information
  • Contribute to the Firm's security-related information repositories and other marketing/awareness endeavours
  • Monitor the latest developments in the Information Security discipline and utilize that knowledge for continual improvement by providing formal and informal strategic and tactical plans and roadmaps to the Information Security Team Manager and other stakeholders
  • Mentor junior members of the Information Security Team
Skills and Experience:
Technical Knowledge and Skills
  • Thorough understanding of security concepts and best practices  
  • Authoritative understanding of audit principles applied to common information security domains such as security policy, organizational structure, asset management, human resources, physical security, operations, communications, access control, development and acquisition, incident management, business continuity, and compliance 
  • Authoritative understanding of principles, theories, techniques, and methods of information system analysis and risk assessment
  • Expert understanding of security frameworks such as ISO 27001, NIST, SANS CSC
  • Working knowledge of common information systems such as Active Directory, networking, endpoint management, application development principles, and SQL
  • Proficient in the use of Microsoft Excel, Word and other office automation software
  • Capable of providing assistance with the preparation of internal training materials and documentation
Non-Technical Skills
  • Sufficient business acumen to understand the business drivers associated with risk management concepts, particularly those affecting client audits, RFP's, and contractual terms
  • Functional leadership skills such as the ability to direct the action of others, to facilitate meetings, and to report status in a clear and concise manner
  • Strong written and oral communication skills.  Ability to convey complex concepts to non-technical constituents. Proficiency in oral and written English
  • Strong project management, analytical and interpersonal skills
  • Ability to set priorities independently given broad executive requirements
  • Demonstrates flexibility in response to the ever-changing priorities of a service provider organization
  • Passionate in the practice and pursuit of Information Security excellence
  • Provide exemplary customer service by striving for first call resolution and demonstrating, empathy, respect, professionalism, and expertise
  • Maintain critical thinking and composure under pressure
  • Gather and analyze facts, draw conclusions, define problems, and suggest solutions
  • Internalize and act upon constructive feedback
  • Adopt new skills and improve existing skills in a dynamic environment
Minimum Education / Experience
  • Education
    • Possess a Computer Science, Information Assurance, or Information Systems Bachelor’s Degree or substantial equivalent experience
  • Experience
    • 3+ years of practical experience in information security technical operations
    • 3+ years of management or supervisory experience in information security with a focus on IS audit, compliance, and risk management
Special Requirements, Licenses, and Certifications
  • Lead ISO 27001 Auditor
  • CISSP or SSCPRSA Archer Certified Administrator desirable
  • CCSP or equivalent cloud experience