IT RISK AND COMPLIANCE ADMINISTRATOR
The IT Risk and Compliance Administrator will play a critical role in the delivery of IT information security Risk and Compliance solutions supporting the continuous operations of Contran Corporation and its certain affiliates. The candidate must be a strategic thinker, highly adept in process analysis and also able to provide techno-functional support in leveraging the GRC tool to manage our compliance needs
As part of the information security threat and incident response team, you will directly report to the Manager of the Global Information Security Office and will assist in identifying, developing, implementing and maintaining processes across the organization to reduce information and information technology (IT) security risks.
Work closely with audit and compliance teams to develop, enhance and oversee SAP access controls. Recommend and define changes to any interfacing IT systems which may be involved in the assigned business process.
You will be responsible for the maintenance and development of IT GRC Risk and Control-Self Assessment programs. In addition, you will serve as an IT point of contact for regulatory: reviews, incident management, mitigation and escalation, and internal and external audit activity with a focus on SOX compliance.
You will be required to provide trusted advisory services and guidance in IT risk and compliance efforts that will reduce organizational risk and improve the organizations overall security posture. You will demonstrate strong skills in the areas of Information Security, Communication, Innovation, Technology, Problem solving and Service Design
The ideal candidate is a multi-functional, highly organized, project focused, self-motivated team player who is also a resourceful, proactive problem solver with excellent communication skills and can meet aggressive project deadlines.
You are expected to maintain awareness of current and developing information security regulations, technology, and threats through sound technical capability, a commitment to continuous learning, and networking with information security risk and compliance peers.
Core Competencies - Summary
- Information Technology (IT) security and information assurance inclusive of the integrity, availability and confidentiality of the information
- Provide expertise on ERP (SAP) Compliance and Controls to meet the compliance reporting requirements.
- Knowledge of SAP transaction codes used for both inquiry and update purposes
- Develop Computer Emergency Response Team / Computer Security Incident Response Team
- Assist in coordinated response to security incidents (including active ones)
- Develop Communication plans to disseminate situational status when security events occur (including proactive communication)
- Developing risk assessments for security gaps and compliance adherence
- Development and implementation of information security processes and procedures
Essential Duties and Job Responsibilities:
(Disclaimer – This list is meant to be representative, not exhaustive.)
- Work closely with audit and compliance teams to develop, enhance and oversee SAP access control governance policies, procedures, processes and guidelines using industry leading practices
- Effective utilization of SAP Security implementation methodologies, including role based access controls, user provisioning and leveraging SAP GRC to its fullest extent
- Leverage SAP GRC across multiple SAP Landscapes within the enterprise
- Review/Build/Update monitoring processes, key controls and perform period reviews to mitigate risks related to segregation of duties (SOD) and Sarbanes Oxley(SOX) for SAP systems: ECC, and others
- Participate in audit and compliance activities
Leadership and Communication
- Drive enterprise change / transformation in the areas of IT risk and compliance
- Unify geographically and culturally diverse organizations into a cohesive security risk and compliance framework
- Manage evolving security risk, legal and regulatory requirements in the context of overall business objectives and constraints
- Effectively communicate to management and senior stakeholders
- Ensures adherence to best practices and audit requirements including SOX as it relates to IT controls
To perform this job successfully, an individual must be competent in the above areas and be able to satisfactorily perform each essential duty. The requirements listed below are representative of the knowledge, skill and/or ability required. Reasonable accommodations may be made for individuals with disabilities to perform the essential functions.
Education and/or Experience
- Bachelors degree in an IT / Information Security related discipline and/or a minimum 7 - 10 years experience in the industry
- 7+ years of SAP security and GRC experience working on ERP/ECC environments including experience with Access Control, Risk Management and Process Control
- SAP functional knowledge, configuration or technical (ABAP) development experience. Understands the SAP Data Model.
- Strong experience in SAP and infrastructure security
- SAP User and Role Security Review experience
- Hands-on SAP GRC and security implementation and/or effective SAP audit experience, ideal candidate will have both
- IT security risk and compliance experience with proven knowledge of IT security monitoring tools and a firm understanding of networking fundamentals
- Ability to design and implemented IT security practices for the generation and maintenance of standardized system images, network operating system roles, segregation of duties and best practices to ensure compliance with IT GRC standards
- Experience with tools designed to automate adherence to information security policies and regulatory requirements
- Experience with pre- and post-implementation assessment of ERP (SAP GRC) security and controls
- Proven experience in the analysis, regular review and revision of existing information security policies, procedures and standards
- A minimum of 7 years demonstrated ability to develop and deploy enterprise Application Security Compliance and IT Risk Management strategies
- Understanding of, and operational experience with, Enterprise Security Frameworks, Governance and Standards such as ISO 27001 Information Security Management Systems, COBIT, NIST SP.800-53 Security and Privacy Controls
- Understanding of, and operational experience with, Enterprise Risk Management Frameworks and Standards such as NIST SP.800-39 Managing Information Security Risk
- Experience in interpreting the applicability of global and industry-specific compliancy laws and regulations
- Experience with SIEM and Analytic technologies such as LogRhythm or similar technologies
- Technical certifications including CISSP, CISA, CRISC, GIAC
- Strong knowledge of key business processes, the inherit risks, as well as potential controls
- Experience with SAP Data Steward
- Chemical Industry Experience a plus
- Global Enterprise exposure preferred
- IT governance, operations, and resource planning
- Knowledge of SAP business process, user provisioning process, and security maintenance process.
- Operating systems: Windows, UNIX, Linux
- Information Security architecture framework development
- Computer networking to include protocols, TCP/IP, DNS, VPN, VLAN, routing and switching
- Identity and access management
- Incident response preparation, management, and forensics
- Logical access controls (e.g., Active Directory)
- Physical and environmental security controls
- Cloud Security Compliance
- Threat and vulnerability management
- Business Continuity – Back Up, Recover, Archival, Fail-over
- Virtualization – Private, Hybrid or Public Cloud
- Hardware – Server, Storage, Networking, Data Center Power
- High proficiencies in other IT areas are highly desired
- Ability to read, analyze, and interpret software technical documentation. Excellent ability to write reports, business correspondence, and procedure manuals. Ability to effectively present information and respond to questions from senior IT Management.
- Ability to apply concepts such as fractions, percentages, ratios, and proportions to practical situations
- Expert with a high level of analytical ability where problems are typically unusual and difficult - gather and interpret complex qualitative or quantitative data
- Excellent ability to handle ambiguity and make decisions and recommendations with limited data
- Ability to prioritize and execute tasks in a high-pressure environment and make sound decisions in emergency situations
- Demonstrated leadership and personnel/project management skills
- Experience with a wide range of computer systems and security tools
- Dependability and integrity
- While performing the duties of this job, the employee is regularly required to sit; use hands to type, handle, or feel and talk or hear. The employee is occasionally required to stand; walk and reach with hands and arms. The employee must occasionally lift and/or move up to 10 pounds. Specific vision abilities required by this job include close vision.
- Able to work extended hours as business operational needs dictate
- Attend to Network / Infrastructure Monitoring Alerts and coordinate response efforts
- Travel to various company locations in North America and, Europe based on Project / Business requirements
- Able to participate in multi-time zone and after-hours support based on business requirements and criticality of IT Projects
- Able to demonstrate analytical/problem-solving skills with capability to identify solutions to unusual and complex problems