What You Need To Know

Overview

The Information Security Governance and Compliance Manager is responsible for driving governance and compliance at Southern Glazers Wine and Spirits (SGWS) as part of the Information Security program. In this role, you’ll oversee the development and lifecycle management of governance items such as policies, standards, controls, and compliance frameworks. You’ll also conduct and oversee risk-based compliance testing of internal controls, application controls, infrastructure systems, and information technology processes. This position offers the opportunity to craft program roadmaps, resource planning, and capability enhancements to drive growth and maturity of the ever-important governance and compliance program. You’ll work closely with teams within the Information Technology department, as well as general business areas.

This position reports to the Director of Information Security Governance, Risk, and Compliance. 
 

Specialized Skills and Technologies

Governance

Strong knowledge of cybersecurity governance, regulations, and security frameworks 
Demonstrated understanding of a wide range of compliance and technology frameworks (NIST Cybersecurity Framework (CSF) and 800-53, ISO 27001 & 27002, Cloud Security Alliance (CSA), OWASP, CIS Benchmark, etc.) 
Ability to understand new laws and regulatory requirements and how they relate to company risk, information security, governance, and compliance
Proficient in developing and maintaining governance items such as policies, standards, and controls

Compliance

Expert-level skill in executing compliance control testing programs and processes 
Strong understanding of the implementation of effective control and/or mitigation options to manage security risks
Skill in leading the process of Issues Management and associated remediation efforts
NIST CSF Self-Assessment 

Leadership and Soft Skills

Exceptional consultative and interpersonal skills that result in business relationships of impeccable trust, confidence, and results at all levels within the organization
Skilled at managing high-performing teams of GRC analysts

Technologies
Implementing and using GRC/IRM tools to manage GRC processes (experience with ServiceNow GRC/IRM a plus)
Knowledge of cloud security concepts and best practices 
Skilled in the understanding of IT systems and supporting technologies 

Primary Responsibilities

• Lead development, implementation, and maintenance of information security governance items such as policies, standards, and controls
• Mature and maintain the policy lifecycle management process, ensuring security policies are reviewed and updated on a regular basis and any exceptions are processed and monitored 
• Maintain the control inventory, establishing control ownership and control mappings to security compliance frameworks such as NIST CSF/800-53, ISO 27001/2, etc.
• Stay updated with compliance, regulatory, and industry best practices applicable to Southern Glazers and escalate findings appropriately
• Provide cybersecurity governance guidance for all projects within the organization that have technology significance, including the evaluation and recommendation of security controls
• Work closely with the Information Security Risk Management team to design, document, and test controls aligned to mitigate IT risks within the IT organization
• Conduct regular risk-based compliance testing of information security controls, reporting issues and monitoring remediation efforts 
• Collaborate with control owners to validate effectiveness of security controls, their procedures, and ensure testability
• Oversee and drive the Issues Management processes to address issues identified in security assessments, key application reviews, access control reviews, internal or external audits and/or other assessments
• Conduct the annual NIST Cyber Security Framework (CSF) self-assessment and presents findings and accomplishments 
• Act as liaison with internal and external auditors, facilitating meetings, walkthroughs, and discussion of remediation activities for identified deficiencies

Minimum Qualifications

• Bachelor’s degree in computer science, information security, information technology, or related field of study; or equivalent professional work experience  
• 10+ years of experience in cybersecurity, IT auditing, risk management, governance, and/or compliance management 
• 3+ years managing high-performing information security teams
• Professional governance, risk, or compliance certification such as CISA, CRISC, CGEIT, etc. 
• Demonstratable experience in writing, editing, and revising governance items such as policies, standards, or controls in support of organizational cyber security activities
• Ability to understand laws and regulatory requirements and how they relate to risk, security, and compliance
• Expert-level experience in executing compliance control testing programs and processes 
• Experience implementing a variety of information security frameworks & controls across a large organization 
• Strong working experience with the NIST Cybersecurity Framework, ISO 27001 & 27002, Cloud Security Alliance (CSA), OWASP, or CIS Benchmark
• Experience implementing or enhancing GRC/Integrated Risk Management (IRM) platforms (experience with ServiceNow GRC/IRM a plus) 
• Knowledge of risk management processes, techniques, and tools 

Physical Demands

• Physical demands include a considerable amount of time sitting and typing/keyboarding, using a computer (e.g., keyboard, mouse, and monitor), or mobile device
• Physical demands with activity or condition may occasionally include walking, bending, reaching, standing, squatting, and stooping
• May require occasional lifting/lowering, pushing, carrying, or pulling up to 20lbs

EEO Statement

Southern Glazer's Wine and Spirits provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.