Manager, IT Security Governance, Risk, and Compliance
Allison Transmission
- Indianapolis, IN
- Permanent
- Full-time
- Develop and lead an IT security risk management program to identify, assess, and manage risks, including effective data-driven reporting and tracking of risk reduction activities.
- Understand and interpret laws and regulatory requirements related to information protection and develop and implement appropriate processes to keep the Allison in compliance and reduce legal liabilities.
- Measure and assure that controls are in place and managed properly to meet legal and regulatory compliance for the protection of all of Allison information assets.
- Identify gaps and potential security concerns, provide mitigation strategies, and lead all aspects of remediation activities.
- Provide domain expertise in the creation, implementation, and maintenance of appropriate IT security risk programs, policies, and procedures to be aligned with all applicable regulations including ITAR (International traffic in Arms Regulation), EAR (Export Administration Regulation), NIST (National Institute of Standards and Technology), SOX (Sarbanes Oxley Act), and various privacy regulations across the IT environment.
- Provide security expertise and guidance around security issues and recommend solutions to mitigate and eliminate compliance risks to Allison information assets.
- Take the helm in monitoring, measuring, and reporting on controls effectiveness for security and compliance, nimbly adjusting strategy and implementation as needed.
- Provide periodic updates to IT leadership regarding the status of the ITGC SOX testing plans, the issues identified, and the decisions regarding the solutions to address the identified problems.
- Employ manual and automated techniques to verify ongoing technical and procedural compliance with organizational standards.
- Assist organization in maintaining a security posture commensurate with the risk tolerance of the organization while meeting business objectives, and regulatory requirements.
- Lead the tracking and periodic reviews of defined exceptions to security policies and standards.
- Maintain relationships with internal and external audit and compliance agencies to facilitate execution of audits.
- Participate and act as a point of contact for IT security risk assessment, customer due diligence questionnaires, audits, regulatory responses.
- Track and report on IT audit and risk findings, including coordinating IT management forums for discussion and reporting of these findings.
- Lead the Information Security Awareness Training program across the global organization, including training tools and reporting.
- Lead the Allison Transmission Third Party Cyber Risk management program.
- Lead a small team (less than 5) of direct reports.
- Execute, lead, enhance, and implement processes to stay in sync with IT regulatory and corporate requirements.
- Lead the IT Security GRC team by monitoring the team’s workload, assigning tasks, reviewing work, meeting the goals of the global organization.
- Implement Governance, Risk, and Compliance (GRC) methodologies and tools to support structured, traceable, and repeatable processes.
- Develop processes to efficiently collect data to demonstrate control effectiveness for security frameworks.
- Develop and maintain the program roadmap; drive, prioritize, and implement an agenda to deliver tangible results
- Develop, implement, and supervise reporting mechanisms for governance, security, and risk practices to support compliance and highlight areas of exposure
- Develop, improve, operationalize enterprise-level security, risk and privacy policies, processes, and controls to mitigate risk and follow applicable laws and regulations
- Engineer a comprehensive control library, mapping our current controls to our corporate and regulatory requirements, addressing any gaps and/or inefficiencies identified.
- Initiate, facilitate, and promote activities to build information security awareness within the ATI Organization and deliver training and oversight in accordance with established information security policies and procedures.
- Provide guidance, expertise, and support for on-going program and process improvements for exceptions management within the ServiceNow system
- Drive remediation efforts and recommendations as they relate to external and internal security audits.
- Provide oversite and direction related to auditing automation software and applications to handle governance tasks and SOX financial reporting functions such as ServiceNow GRC and SAP GRC Process Control and Access Control software.
- Perform continuous monitoring and maintain Plans of Actions and Milestones (POA&Ms).
- Bachelor's degree in Computer Science, Information Technology, Cyber Security, or related subject area.
- Risk Management certification (e.g., CRISC, CISSP, CISA, CRCM, or CIPP) is highly desired but not required.
- At least 5 years’ experience in Risk Management, Audit, Compliance, Information Security, or IT Governance, with 2 years in a managerial role
- Understanding of SOX Controls and Requirements
- Experience leading the design and execution of IT general controls
- Experience with IT GRC platforms
- Experience with policy and control development as it relates to meeting compliance requirements from relevant regulations such as ITAR, EAR, SOX, NIST, GDPR and others.
- Experience developing System Security Plans (SSP) and maintaining Plans of Actions and Milestones (POA&Ms).
- Experience applying cybersecurity and privacy principles to organizational requirements
- Experience working with internal and external auditors