GRC Risk Analyst

at  Arm

JOB OVERVIEW:

The GRC Risk Analyst will be responsible for identifying, analysing and influencing the management of Enterprise IT (EIT) and Enterprise Security (ES) risks.

REQUIRED SKILLS AND EXPERIENCE:

• Experience in conducting internal security assessments and reviews, articulating and documenting information security risks.

• Strong familiarity with security standards, and audit requirements including NIST CSF, 800-53, ISO 27001, PCI DSS, and SOC 2 Type 2 reports

• BCM programme governance - the development and maintenance of a strategy and enabling governance framework, ideally ISO22301 aligned.

• Interpersonal skills are required to interact effectively within the Enterprise Security group, customers and vendors at a tactical level.

• Agile, self-starter and can prioritise quickly and effectively. Contributes through the quality, accuracy and timeliness of the tasks/services provided by self, and quality control of work provided by others.

“NICE TO HAVE” SKILLS AND EXPERIENCE:

• Hands on experience implementing security within public cloud services (AWS, Azure, Google).
• Demonstrates a good understanding of the variety of technical security control concepts, procedures and systems (e.g., Email Security, AV, EDR, Firewalls).
• Security qualifications i.e., CISSP, CISM.
• Good familiarity with other Enterprise Security organization (can identify which team fulfils which roles) and a solid grasp of ITIL processes!

• Support internal and external partners on matters of risk assessments, security controls, and framework requirements. Ensuring security and compliance requirements are understood.
• Coordinate EIT responses to regulatory inquiries and audits, making sure Arm is compliant.
• Support EIT business continuity management (BCM) needs. Operationalizing and assuring a capability of safeguarding our services and operations in the face of disruption and disaster. Further, to mature this capability to put us on a firm path to becoming operationally resilient.
• Ensuring continuity and recovery plans are detailed, approved, tested, and maintained by asset owners and custodians.
• Develop tactical and positive relationships within the business, partners and vendors.
• Develop Standard Operating Procedures (SOP) to detail procedures for risk assessments, third party assessments, and business process workflows for Security Governance, Risk, Resilience and Compliance.
• Ensure that fundamental information on accountable technology is accurate (e.g. KB Articles / process maps / training documents and presentations / RACI / Contract information).
• Identify and raise risks, threats and vulnerabilities of technology security matters. Working with risk owners to shepherd the risks to conclusion where possible.