Job Summary:
The position is responsible for supporting the security direction of the business and elevating the company’s security posture. The GRC Program Specialist is expected to support the security strategy of the business with new and existing information system capabilities. Consequently, the position requires both an understanding of legacy systems, as well as innovative technologies and requirements. The GRC role is also responsible for the planning and design of policies and maintenance.
Job Expectations:
The ideal candidate is technical and possesses at least three or more years of experience in security, compliance, or risk management. The role oversees the business’ security requirements and obligations mandated by standards and regulations such as the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), General Data Protection Regulation (GDPR), Health Information Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS). In tandem with security leadership, the GRC role consistently assesses and validates the assurance of the security, vendor, and third-party risk management program. As a primary point of contact for internal and external auditors, the GRC role monitors progress and enforces resolution of outstanding issues that may lead to non-compliance or security threats to the business. As a key member of the security team, the GRC role must focus on strong risk management and corporate resiliency, and not be driven solely by compliance.
- Assist in periodic re-validation of our Top Risks and drive improvements for risk reduction
- Assist with the implementation and operation of Governance Risk and Compliance (GRC) tooling to further improve and automate our GRC processes and policies
- Maintain oversight in a GRC-related platform.
- Identify strengths and weaknesses in the security program as they relate to privacy, security, business resiliency and compliance frameworks.
- Document, formulate and enforce areas of security improvement that balance risk with business operations and do not diminish efficiencies or innovation.
- Maintain strong oversight of third parties, vendors, and business partners to safeguard against undue risk presented by external entities. Escalating to security management and business unit leads when points of weakness are discovered.
- Analyze findings, and document, recommend and report program gaps to security leadership.
- Monitor current and proposed security changes impacting regulatory, privacy and security industry best practice guidance. Apply GRC expertise across key lines of business, including products, practices, and procedures.
- Define qualitative and quantitative metrics to assess the success of the security program and provide regular reports to security and business leadership.
- Ensure security and technology teams maintain up-to-date configuration documentation for systems and processes. Maintain rigorous oversight of security systems and security configuration administration to reduce risk to enterprise systems and accounts.
- Function as a key participant in incident response to track occurrence and resolution, with strict documentation and reporting.
- Help support various parts of the company to adopt a common risk and control framework
- Assist with all ongoing compliance activities related to the implementation, maintenance, monitoring, and continuous improvement of the Information Security Management System (ISMS)
- Evaluate the effectiveness of information security controls and performance by developing, monitoring, gathering, and analyzing information security and compliance metrics for management
- Advise and collaborate with SMEs, including Audit & Compliance teams, to ensure adequate security controls are in place to manage risk and are aligned with leading best practices
- Perform security policy and standard gap analysis, propose and draft documents and changes
The duties and responsibilities described above may provide only a partial description of this position. This is not an exhaustive list of all aspects of the job. Other duties and responsibilities not outlined in this document may be added as necessary or desirable, with or without notice.
Knowledge, Skills and Abilities:
Required:
- Experience working with Agile methodology, JIRA, and GRC tools
- Specialist 3+ years of relevant industry experience
- Strong knowledge of and experience in security risk management lifecycle
- Familiar with security compliance frameworks and requirements, e.g., SOC 1/2, PCI, ISO27001, NIST CSF, and others.
- Experience in third party risk assessment and third-party risk continuous monitoring
- Experience in security policy governance lifecycle
- Experience working with, Cloud technologies/environments, AWS or other related cloud experience is required
- Effective communication, interpersonal and leadership skills to work with both engineering and other non-technical stakeholders
- Strong security and compliance domain knowledge
- Bachelor’s degree or equivalent practical experience
#LI-JC1
The anticipated pay scale for this position can be found below, however the pay range applicable to you may vary by geographic location based on where the job is located or where you work. The final pay offered to a successful candidate will be dependent on several factors that may include but are not limited to the type and years of experience within the job, the type of years and experience within the industry, education, etc. iHerb, LLC is a multi-state employer and this pay scale may not reflect positions that work in other states or locations.
Employees (and their families) that meet eligibility criteria as outlined in applicable plan documents are eligible to participate in our medical, dental, vision, and basic life insurance programs and may enroll in our company’s 401(k) plan. Employees will also be eligible for Time Off and Paid Sick Leave pursuant to the company’s policies. Employees will enjoy paid holidays throughout the calendar year. Eligibility requirements for these benefits will be controlled by applicable plan documents.
For more information on iHerb benefits, visit us at iHerbBenefits.com.
Staffing Agency Submission Notice
iHerb does not accept unsolicited 3rd party (“Agency”) candidates. If you are an Agency, please send any requests to be considered as a supplier in our Vendor Management System to staffingvendors@iherb.com. Do not contact iHerb employees directly. If requested to work on a role, any Agency candidates would be presented through the internal recruiting organization.
About iHerb
iHerb is on a mission to make health and wellness accessible to all. We offer Earth’s best-curated selection of health and wellness products, at the best possible value, delivered with the most convenient experience.
We’re the world’s largest eCommerce platform dedicated to vitamins, minerals, and supplements, and other health and wellness products. For more than 25 years, we’ve been making it simple for people all over the world to purchase the highest quality products. From supplements to skincare to grocery items, we ship over 50,000 products, from over 1,800 brands direct to our customers in 180+ countries.
Our vision is to become the #1 destination for health and wellness across the world.
With a passion for wellness and a mind for innovative solutions, iHerb team members share a vision for a healthier world that drives them each day. Our 5 Shared Values unite our global team:
Focus on the Customer · Empower Our People · Be Entrepreneurial & Pivot Quickly ·
Embrace Diversity & Inclusion · Strive for Simplicity
iHerb Benefits
At iHerb, we are dedicated to offering programs designed to help our employees and their families stay healthy, live well, and plan for their financial future. Built on a strong foundation, our programs provide options and upgrades with flexibility, protection, and security in mind. For the comprehensive benefits list, visit www.iHerbBenefits.com. For our international team members, you may be eligible for benefits depending on the country where you are employed. The Talent Acquisition Partner/local HR representative will go over the benefits you are eligible for.
iHerb is an Equal Opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability or veteran status. iHerb provides equal employment opportunities to all applicants for employment and prohibits discrimination and harassment.