Information Security GRC Manager
World Class Team Environment
First Quality was founded in 1988 and, in nearly three decades, has grown to be a global multi-billion dollar privately held company with over 5,000 employees. Its corporate offices are located in Great Neck, New York, with manufacturing facilities and offices in Pennsylvania, South Carolina, Georgia, Canada, and China. First Quality is a diversified family of companies manufacturing consumer products ranging from Absorbent Hygiene (adult incontinence, feminine care, and baby care), Tissue (bath and towel), purified bottled water, and Industrial (non-woven fabrics, print and packaging materials, thermoformed plastics), serving institutional and retail markets throughout the world. First Quality focuses on private label and branded product lines.
Our core business philosophy is built on a proud culture driven by safety and quality, respect, humility, integrity, customer focus, and teamwork. With leading edge manufacturing technologies and processes and visionary leadership, First Quality is positioned to continue significant growth in the coming years.
The Information Security GRC Manager is responsible for the development and delivery of First Quality’s Information Security Program which includes information security risk management across the First Quality Enterprises. This program ensures that all physical and digital information assets and technologies, as well as employee, client and First Quality data are adequately protected. This role is responsible for defining and maturing the 2nd line of defense (First Quality’s Information Security Risk Management Program) and providing management with updates on the overall security posture of the organization. This role reports directly to the Director of Information Security Governance, Risk, Compliance and Strategy.
ESSENTIAL DUTIES AND RESPONSIBILITIES
The Information Security GRC Manager will be tasked with managing the following Information Security Programs; Enterprise Technology Risk Management, Third Party Risk Management, Data Governance, Security Awareness & Training, and Compliance. The Information Security GRC Manager will work alongside the Director of Information Security Strategy and Governance and other IS team members to identify ways to innovate and mature the Information Security program. The Manager will be responsible for reviewing and escalating issues and shall ensure sound security practices are built into the program.
Enterprise Technology Risk Management
- Mature the Information Security Risk Management Program by defining an IS risk register which includes identifying threats and risks to the organization.
- Meet with business stakeholders to define First Quality’s top 10 security risks.
- Directly responsible for performing IS self-assessments to ensure systems and applications are complying with First Quality policies, applicable regulatory and legal requirements, and leading industry practices.
- Develop and drive the implementation of security best practices and standards to mature the overall IS Risk Management Program which includes defining security system and application standards of control.
- Provide solutions to identified issues and risks.
- Works with the Director of Information Security to determine the acceptable level of risk for enterprise computing platforms.
- Liaise with key functional teams such as HR, IT, Digital Marketing, Finance, Internal Audit, Enterprise Risk, Quality, Office of General Counsel and the Business to identify new applications and service providers in use and the associated security controls to secure the data.
Third Party Risk Management
- Perform Third Party Risk Assessments for new and existing vendor tools, on premise implementations, and third parties with access to the environment.
- Mature the Third Party Risk Management program by defining security controls based on tiers of vendors.
- Articulating identified risks to the business for remediation, mitigation and sign off.
- Investigates incidents and events that include potential HIPAA and other data breaches, data leakage, brand reputational risks, malware propagation, system compromises etc.
- Mature the Data Loss Prevention Program by defining DLP rulesets in existing tools such as Varonis, CASB, Next Generation Firewalls etc. and review outputs to determine the appropriate action required.
- Assist with maturing the Data Governance Program which includes defining a Data Classification and Handling Program, identifying Data Owners, and assisting with the design and implementation of a Data Classification and Rights Management tool.
- Establish and maintain Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for the Data Governance Security Program and initiatives.
Security Awareness & Training
- Manage and maintain the enterprise wide IS Security Awareness Program which includes phishing simulations, computer based training, proactive communications on latest threats, workshops and newsletters.
- Promote a security mindset through enterprise and functional team specific presentations
- Work with the Office of General Counsel to ensure the Information Security team stays abreast of new regulatory, legal and/or compliance data security requirements.
- Ensure compliance with HIPAA and applicable legal and regulatory requirements.
- Occasional travel: Up to 15%
- B.S. in a technology discipline (Computer Science, Information Management, Computer Engineering, Cybersecurity or equivalent); Security certifications such as CompTIA Security +, CISSP, CISA, CCNA or equivalent or working towards certification is preferred
- 7-10 years’ experience working directly in an Information Security or Information Technology department with experience in developing or managing Security Programs
- Strong knowledge of security as it relates to technology. Working experience with Varonis, CyberArk, Proofpoint, Apperature, Skyhigh, Titus, Microsoft Enterprise Mobility Suite, Azure Information Protection, GRC tools or similar
- Familiarity with Windows and SQL network vulnerabilities
- Experience with Operational Technology (OT) environments and securing manufacturing devices a plus
- Strong knowledge & understanding of Network design, topologies
- Strong understanding of a "hacker’s" mentality
- Excellent written and oral communications skills; ability to lead discussions, present complex ideas to audiences of all sizes, and interact with all levels of the organization
- Ability to self-manage, work independently with little direction and/or supervision but also work collaboratively in a team environment
- Working knowledge of the following frameworks and regulations: ISO 27001/2, SANS Top 20 Critical Security Controls, ISF Standard of Good Practice, HIPAA Privacy Rule and Security Rule
- Ability to prioritize and multitask and a work approach that supports flexibility and adaptability is paramount
- Detail oriented and ability to think outside of the box to propose solutions to risks
- Ability to communicate security risks to non-technical business stakeholders
Excellent compensation and benefits, which are effective the first day of employment!
Equal Opportunity Employer
First Quality Enterprises
Our core business philosophy is built on a proud culture driven by safety and quality, respect, humility, integrity, customer focus, and teamwork. With leading edge manufacturing technologies and processes and visionary leadership, FQE is positioned to continue significant growth in the coming years.
Company Type: Privately Held
Company Size: 1,001-5000