Governance Risk and Compliance Manager

About The Position

Requirements

• Knowledge of office and administrative practices and procedures.
• Knowledge of regulatory compliance frameworks (i.e., NIST CSF & 800-53, ISO 27001, SOC, HITRUST, HIPAA, CJIS, PCI).
• Knowledge of cybersecurity principles, risk management methodologies, such as NIST RMF.
• Knowledge of data protection and privacy laws and regulations.
• Knowledge of security and compliance best practices.
• Knowledge of data analytics dashboards and visualization tools.
• Knowledge of both legacy on-premises infrastructure and modern cloud technologies.
• Skill in using PC Software including current Microsoft Office Suite of applications.
• Skill in communicating professionally and tactfully with other city employees and the public by oral and written means.
• Skill with organization and attention to detail.
• Skilled in applying security concepts across all technology stacks.
• Skilled in facilitation, influence, negotiation, and communication.
• Skilled in decision-making in security and risk-related scenarios.
• Skilled in communication and collaboration with internal and external stakeholders.
• Skilled in governing AI, LLMs, ML, and emerging technologies.
• Skilled in security control design, implementation, and monitoring.
• Skilled in problem-solving and decision-making in security and risk-related scenarios.
• Ability to collaborate with City departments, divisions, and teams to align business processes with regulatory requirements.
• Ability to conduct risk assessments, identify threats and vulnerabilities, and develop risk mitigation strategies.
• Ability to motivate staff, project optimism, and lead complex operations.
• Ability to present and communicate complex information security risk information to non-technical stakeholders.
• Ability to exercise discretion and independent judgment utilizing knowledge of the organization's policies.
• Ability to work independently under general instructions.
• Ability to perform a variety of physical skills including but not limited to filing, pulling, seeing, sorting, squatting, standing, stooping, twisting body, typing, walking, and writing.
• Ability to operate a variety of office equipment including but not limited to PC, telephone, calculator, scanner, and copier.
• Ability to prioritize deadlines and tasks.
• Ability to learn new systems and procedures quickly.
• Ability to plan, organize, monitor, and collaborate with internal and external stakeholders to accomplish unit objectives.
• Ability to understand mathematical calculations involving fractions, percentages, and decimals.
• Ability to work within a set schedule.
• Bachelor’s Degree
• Five (5) years of increasingly responsible information security experience in medium to large organizations.
• Or an equivalent combination of education and experience sufficient to successfully perform the essential duties.

Nice To Haves

• Four (4) years’ experience managing or supervising a team of security or privacy
• An advanced security certification, such as: Certified in Risk and Information Systems Control (CRISC) Certified in the Governance of Enterprise IT (CGEIT) Certified Compliance and Ethics Professional (CCEP)
• Other equivalent industry certifications or equivalent experience may be considered.

Responsibilities

• Oversees the Governance, Risk and Compliance (GRC) Division within the Information Security and Privacy Office.
• Ensures effectiveness of city-wide information security governance practices by developing and implementing policies, procedures, and controls to safeguard sensitive information, assessing, and mitigating risks to information assets and data.
• Develops and oversees an information security risk management, information assurance, emerging technology governance program.
• Advises on security risk management activities within the City by coordinating or conducting risk assessments, identifying potential threats and vulnerabilities, developing risk mitigation strategies, monitoring progress, and ensuring that appropriate controls are in place.
• Develops and oversees a data classification program that aligns with organizational risk tolerance.
• Assesses and governs the use of Artificial Intelligence, Large Language Models, Machine Learning, and other emerging technologies.
• Ensures the City complies with applicable regulations and contractual requirements by staying updated on relevant regulations, conducting compliance assessments, and supporting internal and external assessments.
• Develops and prepares comprehensive security risk assessment reports and presentations tailored for diverse audiences, including senior executives and non-technical audiences.
• Contributes to the strategic direction of the Security Governance, and Risk, and Compliance programs for all City services and departments.
• Meet and maintain qualifications for Criminal Justice Information Systems (CJIS) access.
• On a nontypical basis, may perform other additional duties not listed in this description that are in alignment with the scope of essential job functions.