iHerb is hiring a
GRC Program Specialist

Summary

Join our team as a GRC Program Specialist and support the security direction of the business by elevating the company's security posture. The ideal candidate is technical, with at least three or more years of experience in security, compliance, or risk management.

Requirements

• Experience working with Agile methodology, JIRA, and GRC tools
• Specialist 3+ years of relevant industry experience
• Strong knowledge of and experience in security risk management lifecycle
• Familiar with security compliance frameworks and requirements, e.g., SOC 1/2, PCI, ISO27001, NIST CSF, and others
• Experience in third party risk assessment and third-party risk continuous monitoring
• Experience in security policy governance lifecycle
• Experience working with, Cloud technologies/environments, AWS or other related cloud experience is required
• Effective communication, interpersonal and leadership skills to work with both engineering and other non-technical stakeholders
• Strong security and compliance domain knowledge
• Bachelor's degree or equivalent practical experience

Responsibilities

• Assist in periodic re-validation of our Top Risks and drive improvements for risk reduction
• Assist with the implementation and operation of Governance Risk and Compliance (GRC) tooling to further improve and automate our GRC processes and policies
• Maintain oversight in a GRC-related platform
• Identify strengths and weaknesses in the security program as they relate to privacy, security, business resiliency and compliance frameworks
• Document, formulate and enforce areas of security improvement that balance risk with business operations and do not diminish efficiencies or innovation
• Maintain strong oversight of third parties, vendors, and business partners to safeguard against undue risk presented by external entities. Escalating to security management and business unit leads when points of weakness are discovered
• Analyze findings, and document, recommend and report program gaps to security leadership
• Monitor current and proposed security changes impacting regulatory, privacy and security industry best practice guidance. Apply GRC expertise across key lines of business, including products, practices, and procedures
• Define qualitative and quantitative metrics to assess the success of the security program and provide regular reports to security and business leadership
• Ensure security and technology teams maintain up-to-date configuration documentation for systems and processes. Maintain rigorous oversight of security systems and security configuration administration to reduce risk to enterprise systems and accounts
• Function as a key participant in incident response to track occurrence and resolution, with strict documentation and reporting
• Help support various parts of the company to adopt a common risk and control framework
• Assist with all ongoing compliance activities related to the implementation, maintenance, monitoring, and continuous improvement of the Information Security Management System (ISMS)
• Evaluate the effectiveness of information security controls and performance by developing, monitoring, gathering, and analyzing information security and compliance metrics for management
• Advise and collaborate with SMEs, including Audit & Compliance teams, to ensure adequate security controls are in place to manage risk and are aligned with leading best practices
• Perform security policy and standard gap analysis, propose and draft documents and changes