Information Security (GRC) Analyst

Job description / Role

• Evaluate the impact of new and changing legal and regulatory requirements, identify potential gaps within ICT governance structure and communicate to affected policy owners.
• Manage ICT-wide process for Policies, Standards, Procedures, and other ICT governance documents to be developed, updated, reviewed, approved, and communicated to applicable stakeholders.
• Author and coordinate the development and maintenance of ICT Policies, Standards and Procedures with structure, quality, and organization. These will be developed in accordance with legal and regulatory requirements and compliance with frameworks including but not limited to the National Institute Standards and Technology (NIST). Collaborate with Subject Matter Experts (SMEs) to gather requirements and deliver documentation.
• Manage a common framework to map relevant requirements to ICT Policy and control objectives in order to create a clear linkage between Polices, Standards, and controls as defined by ICT.
• Facilitate the management and reporting of risks identified by internal and external auditors.
• Provide key insights and quantified risk analysis for Executive Management to facilitate governance related decision making and justify needed improvements of the governance program including its scope, policies, objectives, controls, processes, and procedures.
• Work with intemal & external entities to facilitate continuous improvement of Information Security in relation to ICT evolving business risks and acceptable risk tolerances.
• Implement and manage tools and supporting resources across the ICT to enable teams to effectively leverage risk assessment processes and the Governance Risk and Compliance (GRC) functions.
• Provide oversight and management of third-party testing to ensure that controls are adequate to meet legal, regulatory, policy, standards, and ICT requirements.
• Ensure that controls are adequate to meet ICT Policies; conduct assessments and audits. Design and implement accurate and thorough governance gaps assessments to applicable guidelines, rules, regulations, and best practices.
• Measure the effectiveness of security controls as prescribed by ICT's IS Policy and Standards, regulatory compliance (e.g. FFIEC Cybersecurity Assessment Tool), the CIS Critical Security Controls, and ISACA's COBIT 5.
• Manage service providers which assist ICT in performing vendor assessments.
• Coordinate across ICT teams a cohesive approach in assessing vendor risk across Security, Privacy and Business Continuity through common processes, reporting, and tools.

Requirements

• B.S. degree in Information Security, Computer Science or similar field or equivalent work experience in IT audit information security or related field.
• Must have 5+ years of work experience in Information Security, Audit, Risk, and/or Compliance. Open to experience in other relevant fields (i.e., finance, business administration, information technology, etc.) as along as candidate can demonstrate relevancy to this Information Security based role.
• Direct experience with regulated.
• Strong verbal and written communication skills - experience in Audit/Compliance/Regulatory discussions.
• CISSP, CISA, CRISC, CISM, GIAC Certifications preferred,
• Experience with GPC applications.
• Demonstrated capacity to learn, intellectual honesty and independent thinking.

About the Company

SATORP, in its promising future, is one of the most complex refineries in the world, with a processing capacity of 400,000 barrels per day of Arabian Heavy Crude to produce petroleum products and petrochemicals with commitment to the highest international standards of health, safety and environment; and at the same time having continuous development and leadership in the region. This world-class refinery that came to being out of the expertise of the two oil giants, Saudi Aramco and Total, is located at Jubail Industrial City in the east of Saudi Arabia.