Governance Risk and Compliance Specialist

Opportunity Details

LeverageTek is actively seeking a Governance Risk and Compliance Specialist (GRC) – Technology and Enterprise Risk for a permanent position with its Ottawa-based customer.

Work Location

Hybrid preferred (1x/week onsite) or Remote (ON/QC)

Key Tasks

Deliver new security program capabilities by leading IT security, GRC, and cloud technology projects; scope of projects may include IT selection and procurement, development of detailed project, resource, and communications plans, coordination with both IT and organizational change management, and providing task direction to other senior project team members
Deliver daily operations for IT security risk and compliance management programs and associated governance frameworks, including but not limited to:
Complete IT security risk assessments and associated reporting
Perform GRC monitoring, reporting, and policy enforcement by making maximum effective use of automated available from Azure, Microsoft 365, and associated tools
Perform supply chain security assessments across IT products, SaaS and hosted services, and other 3rd party support services partners to ensure security controls are appropriate for business needs and the sensitivity of data involved
Develop and maintain reporting of key measures and metrics for IT security risk, prepare monthly, quarterly, and annual risk reporting artifacts, and support presentation of relevant material to management and executive stakeholders
Develop, implement, and maintain effective monitoring of external and internal cybersecurity threat context and impacts to risk posture
Conduct assessments of security posture, control implementation maturity, and conformance to security policies, standards, and guidelines – including coordination of 3rd party assessments and security penetration testing
Prepare reports, policies, standards, and other documentation of a high standard regarding cyber security guidance and/or requirements
Provide business impact context assessment and guidance related to IT resiliency for service continuity and disaster recovery
Participate in security incident responses as a member of the incident response team and support post-event root cause and risk analysis, providing recommendations towards continuous improvement and risk reduction
Develop security policies and operational procedures, including for cybersecurity incident response processes and playbooks, security configuration management, security in system development lifecycle, etc.
Provide IT security, risk, and compliance advisory support:
Within Technology Solutions to ensure security needs are addressed for all IT domains and to support the integration and continuous improvement of IT security risk and compliance management into IT architecture, engineering, software, system integration, and system development lifecycle processes
To the enterprise, including for domains of vendor and supply-chain security, project threat risk assessments, and operational risk inputs to enterprise risk management
Provide high quality and customer-focused support to both IT and user/stakeholder clients by responding to requests and assignments in a timely, respectful, constructive, and responsive manner
Perform other related duties as needed

Key Qualifications

Recent experience in a Governance Risk and Compliance role supporting Enterprise Risk with a focus on Technology and IT Security
Experience with Microsoft Purview supporting Enterprise-wide initiatives related to data protection (data loss and data leakage)
Experience in a GRC capacity leading the Technology and IT Security risk function while also working very closely with other business stakeholders such as HR, Legal, Finance, Procurement, Vendor Management, Supply Chain etc.

Qualifications

University degree in the field of Computer Science, Information Technology, or in a related discipline
2+ years of experience in security program implementation
Delivering security and technology projects involving the implementation and deployment of new capabilities, transition of services to production operations, and successful adoption by users
Developing effective IT security policy, standard, and guideline documentation
Developing governance frameworks and associated documentation for IT security risk management or compliance programs
Preparing risk, compliance, and/or security program reporting for senior management and/or Board stakeholders
Selecting, implementing, and ensuring conformance with IT Security industry best practices and relevant standards and regulations (e.g., NIST Cybersecurity Framework, ISO/IEC 27001/2, COBIT, SOC 2, Information Security Forum, PCI-DSS, Cloud Security Alliance, SANS, CIS Benchmarks, etc.)
Assessing current state compliance against selected IT security and control frameworks, standards, or audit charter objectives
Conducting security maturity and gap assessments against a desired target control posture state
Conducting IT security threat and risk assessments (TRA) and preparing formal TRA reporting documentation
Selecting, applying, and assessing security control implementation for:
Azure infrastructure services including virtual machines, network security groups, and network zoning
Azure native services, such as backup, encryption, and monitoring
Microsoft 365 services
On premise network infrastructures, including boundary protections, monitoring, and network zoning
Portable and mobile computing devices, including Windows and Mac laptops, and mobile iOS platforms
Implementing, monitoring, and reporting from Azure and M365 portals and tools, such as Security Center, for supporting compliance, vulnerability management, and security score posture optimization
Ability to lead complex IT and security implementation projects involving organization-wide rollout and that rely on successful adoption by key stakeholders and/or large user audiences
Ability to deliver daily operational tasks that must be prioritized effectively around competing project and incident response demands
Ability to successfully deliver a broad program of responsibilities and projects according to a multi-year implementation roadmap
Expertise with Azure and Microsoft 365 security and compliance capabilities for control implementation and current state reporting of posture and compliance
Ability to use critical thinking and problem-solving skills to find out root causes of problems or opportunities
General knowledge of networking and IT security concepts and technologies
Results oriented with excellent time and project management skills
Strong ability to handle multiple concurrent and time-sensitive priorities, able to own and guide projects from beginning to end
Demonstrated leadership skills with an ability to influence and positively inspire others to act
Strategic thinking; creative, innovative, and collaborative out of the box thinker
Leading and managing change

Assets
Prior experience with Microsoft Purview, Microsoft Information Protection, or Azure Information Protection
Developing future state security capability profiles and IT security strategy towards achieving desired future state
Developing Disaster Recovery and IT resiliency preparedness, including conducting business impact assessments, developing business and/or service continuity plans, and developing or exercising disaster recovery plans
Security operations and event investigations, security incident response, network or web application penetration testing, or digital forensics
Applying IT security and compliance concepts to Google Cloud Platform (GCP) environments.
Integrating IT security, compliance, and operations capabilities across multiple public cloud tenants

About LeverageTek IT Solutions

Thank you for taking the time to apply Since our company’s inception in March 2003, LeverageTek IT Solutions has worked resolutely to become one of the industry’s most recognized and trusted suppliers of technology staffing and business consulting services. With hundreds of successful engagements to our credit with many of Canada’s leading public and private sector organizations, we are the experts in identifying, deploying, and supporting IT and business talent on a contract, contract-to-hire, and permanent basis. We work with customers across all sectors including academia, aerospace, aviation, finance, government, health care, high tech, military, not-for-profit, and more.

Our responsive service and ability to deliver the right fit, on time and within budget, typically leads to repeat engagements and a long-standing relationship.

Accessibility accommodations are available upon request.