The IT Governance, Risk, and Compliance Specialist collaborates with process owners, internal and external auditors, IT, third-party vendors, and various stakeholders to review, monitor, and address issues; manages SOX and cybersecurity compliance programs and supporting assessments; leads compliance audits, Disaster Recovery (DR) testing, and Incident Management plans; ensures adherence to regulations and cybersecurity standards (i.e., SOX, NIST, and CIS); and contributes to enhancing the organization's IT compliance and cybersecurity initiatives.

• Oversee risk and vulnerability assessments, validation testing, compliance reviews, and audits in accordance with SOX and the organization's cybersecurity standards
• Support internal and external audits (i.e., gather requirements, provide evidence, and implement recommendations)
• Lead enterprise implementation of SOX and cybersecurity controls, policies, and procedures
• Maintain and monitor a central repository for audit evidence
• Perform vendor risk assessments (VRA's), validate SOC2 compliance, and maintain contracts repository
• Manage end-user and third-party access to enterprise SOX applications based on a zero-trust model
• Inform the IT Manager of important concerns, drawing attention to hazards, and assist with corrective actions
• Maintain up-to-date knowledge of procedures and methods that broaden team knowledge and industry expertise
• Perform an annual review to ensure cybersecurity standards, policies, and practices meet corporate and regulatory demands
• Assist in responding to risk, cybersecurity, and compliance inquiries from the organization's business units
• Be proactive in seeking out areas for improvement
• Offer insightful advice and value-added guidance on process and control enhancements
• Maintain compliance with Health, Safety, and Environmental (HSE) policies by attending all required HSE training sessions, safety meetings, and always utilize proper Personal Protective Equipment (PPE)
• Other duties as assigned

• Minimum 2 years of experience in a cybersecurity discipline, with a preferred emphasis on risk and compliance
• Minimum 3 years of experience working with IT infrastructure, enterprise applications, and cloud technologies (Microsoft Azure and O365)
• Experience auditing information systems and handling audit requests from internal or external parties
• Understanding of compliance requirements and cybersecurity frameworks (SOX, SOC2 , NIST, CIS, etc.)
• Knowledge of identity management and disaster recovery
• Knowledge of GRC tools and techniques (i.e. ZenGRC, OneTrust, Archer)
• Ability to successfully manage third-party audits, compile evidence, and organize audit responses
• Attention to detail and exemplary organizational skills
• Effective written and verbal communication skills and the capability to communicate with cross-functional teams
• Proven analytical and problem-solving abilities for managing initiatives that advance corporate goals

Physical Demands

The physical demands described here represent those required for an employee to successfully perform the role's essential functions. Reasonable accommodation may be made for individuals with disabilities to perform their major responsibilities.

While performing the duties of this job, the employee is regularly required to sit, stand, or walk; use hands to manipulate, handle, or feel; reach with hands and arms; stoop or bend; and talk or hear. The employee must occasionally lift and/or move up to 20 lbs.

Work Environment

The work environment characteristics described here represent environmental conditions an employee will encounter while performing the role's essential functions. The noise level in some work environments can be moderate and an employee may encounter extreme weather conditions while performing major duties. Reasonable accommodation may be provided for individuals with disabilities to perform their major responsibilities.

Disclaimer

The information provided in this job description indicates the general nature and level of work performed by employees within the role's classification. This job description is not to be interpreted as a comprehensive inventory of all duties, responsibilities, qualifications required of employees assigned to this role.