Governance, Risk

**The Company**

Imagine a workplace where compassion is at the core of everything this company does, a place that celebrates collaboration, values your contributions, and offers continuous learning opportunities for your growth.

work-life balance for this client is more than a buzzword; it's a priority, and diversity and inclusion are deeply embedded in their culture.

Every day, you'll witness the tangible impact of your efforts, knowing you're part of a calling that's bigger than yourself, surrounded by colleagues who become friends and mentors. If you're seeking a workplace where your heart and skills align with a purpose-driven mission, welcome to an extraordinary place to build your career.

**Your New Role**:
Reporting to the Cyber Security Manager, the Cyber Security GRC Analyst will contribute to and provide support for the management and operations of the cyber security functions. A key element of this role will involve developing and maintaining information security policies and workforce training and awareness for our client.

As the GRC Analyst you will serve as a critical resource for staff and leaders regarding information security policy implementation, interpretation, and compliance.

**Your Responsibilities**:
The Cyber Security GRC Analyst is responsible for reducing information security and cybersecurity risk for our client by helping prioritise and drive remediation efforts throughout the organisation through the following:

- Establishing and maintaining governance and compliance standards.
- Conducting audits and risk assessments to identify vulnerabilities internally and within vendor or third-party supplier products.
- Creating, maintaining, communicating, and enforcing information security policies.
- Advising senior leadership on risk management strategies, including risk mitigation, risk reduction, risk transfer, the risk exception process, and residual risk analysis.
- Participating in the management and operations of the cyber security function.
- Developing and maintaining a risk-aware culture.

Under the guidance and support of the Cyber Security Manager, the GRC Analyst should work independently to execute and manage the cybersecurity and risk function in consistency with local and global regulations and established frameworks. The GRC Analyst holds team and organization-level responsibilities and may be assigned to lead small to medium-scale projects. The analyst works with staff members belonging to primary business functions, technology services teams, and external vendors providing solutions and services to our client, as well as any partners and affiliates.

**Responsibility Domains**:

- Maintain an information security management system based on NIST CSF, ISO/IEC 27001, NIST SP 800-53, and underpinning established and planned controls.
- Conduct cyber security maturity assessments, technical risk assessments, and supplier risk assessments.
- Manage cyber security performance metrics and reporting, author quality documentation, reports, and dashboards.
- Oversee cybersecurity and technology design principles and security architecture blueprints.
- Conduct security assurance and technical reviews of business and technology solutions.
- Define security requirements and test cases for business and technology solutions.
- Manage change management processes, including review and approval for infrastructure and business solutions.
- Provide support for internal audits and external reviews.
- Oversee identity and access management, including solution design and related controls (IGA, PAM, CIAM).
- Develop and implement user provisioning and de-provisioning policies and procedures.
- Lead workforce security awareness activities, including culture, awareness, and training.
- Design and deliver security awareness sessions and training, custom content, and reporting.
- Oversee vulnerability and patch management using tools such as Microsoft Defender Suite and Qualys.
- Manage security operations, including incident detection and response management.
- Ensure data privacy and data security through data loss prevention measures.

**You Will Need**:
Applied knowledge of SABSA security architecture, focusing on business-driven cybersecurity risk management.

Proficiency in cybersecurity standards and frameworks including ISO/IEC 27001:2013, NIST SP 800-53R5, NIST CSF, ISO/IEC 27004, Australian Information Security Manual, and Essential 8, with applied knowledge in implementation, security audits, and assessments.

Experience in developing and implementing cybersecurity policies, with participation as a lead or contributor in at least two life cycle implementations.
- 5-7 years of demonstrated experience in cybersecurity, especially in cloud-dominated computing environments.
- Experience in technology-based security risk assessments.
- Strong familiarity with Microsoft Security Suite (MSCA), Defender Suite, M365 Security Centre, Purview, and Sentinel.
- Expertise in vulnerability man