CORE PROFILE

The Information Security Governance, Risk and Compliance (GRC) Manager is a people manager role within the Information Security Governance and Operations department. The scope includes all aspects of Governance, Risk Management and Compliance as it relates to Information Security of the Maya Group.The incumbent is expected to lead the InfoSec GRC team composed of individuals with technical and non-technical backgrounds within the InfoSec GRC domain. The role owns the GRC program and expected to work closely with senior leaders in the company particularly those in Technology, Risk and Compliance, Legal, People Group as primary stakeholders.

NATURE OF WORK

• Be the central, authoritative source of Information Security Risk information.
• Develop and maintain Key Performance Indicators and Key Risk Indicators for existing Information Security Program components.
• Oversee the external party infosec risk management program.
• Ensure compliance to information security regulations and laws.
• Maintain cybersecurity certifications (ISO 27001, PCI DSS) and lead future certification efforts.
• Develop, maintain and enforce security policies.
• Educate employees and external parties on Information Security as it relates to their functions.
• Ensure effective and efficient execution of key Information Security controls through various testing and assessment techniques.

DISPLAYED SKILL MASTERY

Technical Skills

• Proven ability to establish an end-to-end Information Security Risk Management Program
• Expert knowledge of key Information Security regulations and compliance domains such as:
• BSP regulations
• Philippine Laws
• ISO 27001 and ISO 27701
• PCI DSS
• Experience in implementing, maintaining and operating an Information Security GRC tool.
• Confident in writing security policies and standards and ensuring alignment with necessary compliance regulations and operational aspects of the business.
• Ability to understand human behavior as it relates to Information Security and identify the necessary interventions to promote secure behavior of employees and relevant external parties.
• Sufficient experience in reviewing contracts with business partners and customers to ensure appropriate information security clauses are present in partnerships.
• Proven ability to implement an assurance program to ensure adequate and consistent implementation of key information security controls.
• Sufficient understanding of security technology as control options to mitigate identified security threats.
• Working knowledge of threat modelling and ability to implement the discipline on a company level.

Essential Skills

• Exceptional writing skills and ability to confidently create and deliver presentations to senior management, regulators and stakeholders.
• Ability to properly prioritize tasks while operating Business as Usual processes and undertaking implementation projects.
• Ability to lead and influence teams towards a common goal and vision.
• Accurately identify the root cause of issues and engage necessary stakeholders in crafting solutions.
• Agility in adapting to new circumstances and ability to adapt to rapid changes.
• Confidently communicate points to internal and external parties, regardless of their level.
• Confidently coach and motivate team members.

EXPECTED RESULTS

• Well-managed Information Security Risk Management Program
• Solid compliance with existing Information Security laws, regulations and certification requirements.
• Well-defined Information Security policies and fair and consistent enforcement.
• Adequately scoped and executed InfoSec Assurance program to monitor the effectiveness of key Information Security controls.

REQUIRED QUALIFICATIONS

• College degree holder.
• Expert understanding of Information Security Risk, Audit and Control principles.
• Desirable certifications:
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified in Risk and Information Systems Control (CRISC)
• ISO 27001 Lead Auditor or Implementer
• Certified Information Systems Security Professional (CISSP)
• Payment Card Industry Professional (PCIP)
• Operational knowledge of global Information Security program frameworks such as NIST Cybersecurity Framework, MITRE Att@ck.
• Proven experience in leading compliance projects in the financial services industry.
• Experience in managing law enforcement and regulator expectations.
• Hands-on experience in implementing and using an InfoSec GRC tool
• Proven ability in mentoring rising leaders, leading teams and presenting information to senior management.

Please refer to job description.