We are recruiting on behalf of our client within the professional services industry for a Governance Risks & Compliance (GRC) Specialist with experience in the retail sector is required to join our team delivering the security programme in support of IT Separation at a major UK retailer.
The end-client are a major UK retailer which is structured around 4 divisions and 23 brands. The end-client wishes to move from a single Group IT function to separate infrastructure and information security instances. The security programme is a core element of the overall IT separation programme. The aim is to replicate the Group design for both infrastructure and Information Security (IS) for each company, with change being as transparent as possible for users and the business, with the following design principles:
- Minimal transformation
- Minimal Disruption
- Secure by Design
- Service Continuity
Once separated, the security policies and controls will be tailored to the needs of individual retailers.
Key Objectives in the Period:
Specific objectives of the role
- Assure separation is achieved with compliance throughout the end-to-end supply chain, and across all aspects of the business operating model
- Analyse PCI compliance scope and impacts, carry out GAP analysis
- Recommend policy change if required
- Define Governance, Risk evaluation and Compliance frameworks
- Provide 4th line GRC specialist support for IT separation
- Design of GRC policies and processes
- Maintenance and analysis of risks in line with best practice and changing compliance requirements including compliance with relevant regulatory and legislative requirements such as PCI, ISO/IEC 27001, AML and GDPR
PCI = Payment Card Industry data security standards
ISO/IEC = International Organization for Standardization/International Electrotechnical Commission 27001 concerns information security standards
AML = Anti-Money Laundering
GDPR = General Data Protection Regulation
Key Deliverables in the period:
- GRC Global Framework & Approach (*ppt) Defines the scope of the entity under management, the governance framework, risk landscape, organisational structure and fit with other aspects of security operations
- GRC Audit Calendar, Policies & Processes (*.xls) Defines the audit schedule both internal and external and the supporting processes
- GRC Logs, Alarms & Controls (*.doc) Defines GRC requirements for Logs, Alarms and Controls including data and processes required
- Compliance Landscape and Best Practice (*.ppt) Provides outside-in compliance landscape and examples of best practice. Carries out benchmarking where necessary, provides external view of best practice and makes recommendations for improvements or changes to client
- Change Request Security Design Authority Analysis (*.doc) Based on new CR from project teams reviews CR and evaluates any impacts on GRC design, policies, processes. Makes recommendations on design to accommodate any risks, provides detailed GRC Acceptance Tests for change.
- GRC Ticket Handling (*.xls) Where GRC input is required for Service Operations ticket handling, then this template provides for GRC evaluation or actions that may arise has output both to SOC and to Service Operations
- GRC Roadmap (*.ppt) Aligned to overall enterprise architecture roadmap, including recommendations or requirements for changes to Business Operating Model (BOM) (technology, organisation, processes, resources)
- GRC Process and Business Operating Model Analysis (*.doc) Individual analyses of as-is / to-be business operating model (BOM) and supporting business processes necessary for the implementation of the projects or programme
- Business Change GRC Impact Assessment (*.doc) Provided against specific changes, deliveries or systems. Assesses the changes in business operating model, resourcing, cost/benefit model and business processes. Supported by inputs from business analysis function.
- GRC Risk Register & RAIDD mapping & tracking (*.xls) Risks categorised against security framework. Proactive risk management and on-going mitigation and risk management analysis.
- Security by Design Training Content (*.ppt) Provided for GRC elements of Security Framework against process RACIs.
Essential skills, experience:
- This role will also require the GRC specialist to have knowledge of the General Data Protection Regulation (GDPR) and its implications for business. Have effectively incorporated GDPR within the GRC management framework as a complete compliance ready environment.
- Information Security Risks & Compliance professional with >4 years’ experience
- >1 years’ experience in a Risks & Compliance role within retail sector preferably working with a large retailer
- Good communication skills, Team player
- Analytical mind, attention to detail
Ideal skills, experience:
- Experience of construction industry
- Experience working on development and delivery programmes
- Professional qualifications such as ICA Diploma in Governance, Risk and Compliance
inglis jane are digital delivery experts. Since 2001 our community of outcome-focused professionals have used their experience and drive to provide swift, effective solutions for our customers. We work with a diverse range of businesses, including FTSE 100s and start-ups, and across industries including telecoms, media, banking and the Internet. We offer a full range of recruitment services – from contract to permanent and from executive search to developing high-performing teams.
Whether you are applying for a contract or a permanent role with ij, we aim to make your experience:
We are an equal opportunities employer and we welcome all applications regardless of gender, marital status, sexual orientation, race, colour, ethnic origin, nationality, religion or beliefs, disability and age.
Data use and privacy are also important to us. Our policy in relation to Job Seekers’ personal information can be found at https://www.inglisjane.co.uk/privacy-policy