INFORMATION SECURITY GRC SPECIALIST (Available to sit in Philadelphia or Indianapolis)

Summary

As a key member of the Information Security team, the Information Security GRC Specialist is responsible for overseeing technology risk management policies, procedures, and guidelines. This role ensures that technology risks are measured, prioritized, and appropriately maintained in the risk register. The GRC Specialist will analyze, document, and manage risks related to business operations, and will monitor and enhance risk management processes where necessary.

Essential Duties And Responsibilities

• Serve as a subject matter expert and advisor on technology-related risks, acting as the primary Information Security contact for IT and non-IT processes and stakeholders.
• Collaborate internally and with external consultants and contacts on risk assessments, security policy and documentation management, third-party risk management, and ISO 27001 ISMS operations.
• Identify, assess, and manage technology-related risks, maintaining the Information Security Risk Register.
• Assist with periodic risk reporting to Firm leadership, and documenting of management’s response to identified risks.
• Conduct IT Risk Assessments for on-premises and cloud-based infrastructure, platforms, applications, and key technology services, in line with IT Risk Management Methodology.
• Assess the risks associated with major IT changes and technology implementations.
• Manage exceptions and waivers related to internal security standards, unapproved software, web/email content filtering, password policies, etc.
• Collaborate with IT Infrastructure to ensure that security controls are integrated into Business Continuity/Disaster Recovery planning, ensuring the continuity of security controls where applicable.
• Assist with the operation of the Information Security Management System (ISMS) and Privacy Information Management System (PIMS) in alignment with ISO 27001:2022 and ISO 27701:2019 standards.
• Manage security control requirements from various sources, including ISO 27001 annex controls, client requirements, legal/regulatory guidelines, and other relevant frameworks.
• Respond to security audits, questionnaires, and assessments from clients and external parties, supporting marketing and procurement teams with security-related content for client RFPs and vendor agreements.
• Analyze and recommend improvements to business and IT processes from an information security perspective.
• Ensure security control requirements are adequately covered in policies and procedures, recommending updates and improvements as necessary.
• Coordinate the periodic review and update of security policies in accordance with Firm guidelines.
• Develop and manage the Security Awareness Program, including strategic planning and curriculum development.
• Coordinate content creation and delivery schedules for both broad and targeted security training.
• Monitor and report on participation in the Awareness Program, helping to address any compliance issues.
• Oversee periodic assessments of IT vendor relationships, ensuring that third-party risk management issues are resolved and tracked.
• Perform security reviews of vendor agreements in coordination with the Procurement and Legal teams.
  
  
  

The employee must be able to perform all essential job duties and responsibilities of this position satisfactorily and as outlined, with or without reasonable accommodations. Reasonable accommodation requests may be accommodated, absent undue firm hardship.

Knowledge, Skills And Abilities Required

• Bachelor’s degree or equivalent experience.
• A minimum of 3 years of relevant experience in IT, Risk Management, or Information Security.
• Security or IT certifications such as CISSP, CISA, Security , or similar preferred.
• Proficient in various IT risk and threat assessment methodologies.
• Experience with security governance, compliance, or control frameworks, including ISO 27000 series, SOC 2 Type II.
• Strong background in developing and managing IT security policies, procedures, and standards.
• Broad technical expertise in at least one area such as IT infrastructure, systems engineering, networking, or application development.
• Familiarity with operating systems, application architectures, and security technologies.
• Working knowledge of network and security protocols, including TCP/IP, SMTP, FTP, SSH, TLS, SSL, HTTP, IPSec, and other VPN protocols.
• Basic understanding of IT concepts such as networks, systems and databases, as well as foundational cybersecurity principles (e.g. risk management, threat management, vulnerability assessments).
• Strong proficiency in Microsoft Office Suite (Excel, PowerPoint, Word, Outlook) with advanced skills in Excel for data analysis, tracking and reporting.
• Ability to work in a fast-paced and demanding environment and respond to shifting priorities while meeting deadlines.
• Excellent oral and written communication skills; must be able to articulate issues and information accurately, clearly and succinctly.
• Strong analytical and problem-solving abilities needed to address complex questions and issues.
• Must have strong organizational skills and be extremely detail-oriented; attention to detail, high-level of accuracy, issue-tracking, follow-up and resolution skills are essential.
• Ability to maintain confidentiality and discretion of sensitive information.
• Ability to work independently as well as collaboratively.
• Familiarity with project management tools (e.g. Microsoft Project, Asana, Trello) preferred.
  
  
  

The above is intended to describe the general content of and requirements for the performance of this job. It is not to be construed as an exhaustive statement of essential functions, responsibilities or requirements. Subject to firm needs, duties and responsibilities of this position may change at any time, on a temporary or permanent basis, and with or without notice.

Working Conditions

• Normal law office environment with little exposure to excessive noise, dust, temperature and the like. The above is intended to describe the general content of and requirements for the performance of this job. It is not to be construed as an exhaustive statement of essential functions, responsibilities or requirements.
  
  
  

Equal Employment Opportunity and Diversity Statement

Barnes & Thornburg is committed to equal employment opportunity in both principle and as a matter of policy. We will recruit, hire, train, promote, compensate and provide benefits to all applicants and employees without regard to ancestry, sex, race, color, ethnicity, national origin, gender, age, religion, religious creed, mental and/or physical disability, medical condition, military and/or veteran’s status, genetic information, marital status, sexual orientation, gender identity and/or expression, or any other basis protected by applicable federal, state and local laws. This policy applies to all recruiting, hiring, promotions, upgrades, layoffs, compensation, benefits, terminations and all other privileges, terms and conditions of employment. The firm complies fully with all federal, state and local equal employment opportunity laws.