JOB PURPOSE:

You will support the Cyber Security GRC Manager in implementing and maintaining IT governance, risk management, and compliance capabilities and services across information systems, applications and users to safeguard essential business services and operations from cyber threats.

DIMENSIONS:

• Work collaboratively in a team of circa 8-10 permanent and temporary GRC resources and specialist 3rd Party GRC service providers.

PRINCIPAL ACCOUNTABILITIES:

1. Risk Management: support cyber security risk assessments and help to validate findings, suggest treatment actions to important partners. Document, monitor and follow up remediation actions on all risks relating to the control environment.
2. Reporting and Metrics: Gather input data for management information reporting related to the risk and control environment.
3. Policies and Standards: help develop GRC policies, standards and procedures to monitor information security operational controls, exceptions, risks, and testing including management reporting on performance.
4. Controls Framework: Ensure a robust IT control environment and support a roadmap for IT controls improvements.
5. Compliance: Run processes to monitor IT compliance to legal and regulatory requirements such as Smart Energy Code, Cyber Essentials, National Cyber Security Centre (NCSC) Networks & Information Systems (NIS) Regulations Cyber Assessment Framework (CAF) and all IT related audits (internal and external) where the scope is wholly or significantly relevant to the companies cyber security controls.
6. GRC Systems and Tools: support the implementation and maintenance of the GRC tools, products and systems that help operate GRC frameworks and capabilities.
7. Stakeholder Management: Engage and work with important partners across IT, IS and the Business, internal and external auditors, third party managed service providers and partners to understand IT risks across the enterprise.

NATURE AND SCOPE:

The Information Systems Department works supporting us in the achievement of our vision to become the best performing DNO. The team achieve this through the provision of technology solutions, and the optimisation of current solutions to improve how we operate. Continuous improvement, customer service and seamless delivery is at the heart of this ethos and are therefore strongly underpinned by effective cyber security.

As a GRC Analyst you will support the Cyber and IT risk management activities within . Also you will contribute to cyber security maturity improvement processes that are necessary to safeguarding information assets, business services and operations.

• We ask that you have a practical understanding of governance, risk management, and compliance principles, and an awareness of relevant laws, regulations, and industry standards. We are looking for a detailed knowledge and practical expertise in at least 3 of the following specialist areas:
  • Specific Industry Standards
  • IS/IT Operational Controls and Governance  
  • IT/IS Risk Management 
  • Business Continuity Planning and Disaster Recovery  
  • Supply Chain and 3rd Party Risk Management 

Your principal challenge is to ensure that can demonstrate compliance to the various legal and regulatory demands that are important to retain its ‘license to operate’ and provide its primary services as a DNO. A cornerstone for this is to maintain a strong security posture across the IT estate by developing a comprehensive controls framework and protect our information assets.

Qualifications:

• Practical experience in a GRC role or related profession e.g. risk, audit, cyber security or similar experience in IT or OT role with a desire to move into cyber security, must have some relevant training or experience of cyber security risk assessment.
• Experience in operating maintaining and improving information security management systems (ISMS).
• Experience of internal and external audit engagements and delivering cyber security risk and control assessments with a working knowledge of risk processes, frameworks, and procedures.
• Specific GRC related professional training or an academic level equivalent in a related subject with a recognised information security related certification e.g. CISSP, CompTIA, CISA, CISM, CRISC, MSc Information Security, degree or other formal technical qualifications e.g. apprenticeship, in a related area e.g. networking, cyber security, Information Technology, Operational Technology.
• Good knowledge of compliance, security and regulatory frameworks such as Cyber Essentials, Smart Energy Code (SEC), Network and Information Systems Directive (NIS) National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF), ISA/IEC 62443, ISO/IEC 27001/27002, GDPR, Cloud Security Alliance (CSA) Star framework, SOC2 Type 2 audits. Information Technology Infrastructure Library (ITIL), Control Objectives for Information and Related Technologies (CoBIT), etc.
• Proficient in at least one or more of the following, within a corporate environment:
  • IT / OT operational risks and controls assessment and assurance
  • Business Continuity Planning and Disaster Recovery testing assurance.
  • 3rd Party Supply chain risks, controls and assurance.
  • Physical security risks and controls.
  • Policy, Process, Documentation and Governance
• Some experience of technical risk assessments in either Information Technology (IT) or Operational Technology (OT) environments, including Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA).
• Experience working within a regulated environment, preferably Energy sector Critical National Infrastructure (CNI) and an understanding of power distribution systems or industry best practice would be beneficial.