Governance, Risk

Reporting to
: Information Risk Director

Department name
: Cyber Governance, Risk & Compliance

Location:
Romania (Bucharest or Cluj-Napoca)

Job Description
We are seeking a
Governance, Risk and Compliance (GRC) Analyst
skilled in interpreting industry regulations and audit standards with proven abilities to conduct gap analysis and identify areas of risk. The GRC Analyst will collaborate with process owners, internal auditors, external auditors, and other stakeholders to assist in reviewing, monitoring, and resolving potential issues. The GRC Analyst role will be a key team member assisting the Cyber Governance Director with ongoing program planning, maturity assessments, metrics oversight and ongoing cyber risk management assignments. This individual is a key contributor to enhancing our information security, information governance, compliance, and risk management processes and procedures.

If this vision excites you, we invite you to apply to our
GRC Analyst
open position to become a MassMutual Romania team member. This is a great opportunity to be a part of the transformational journey at MassMutual Romania. As we continue to grow our business and look for new ways to engage with customers, technology will be paramount, and you can be a part of this important work.

Responsibilities

• Support risk assessments, validation testing, compliance reviews, and audits in accordance with NIST standards, existing and emerging regulations
• Help the team manage various compliance programs, promote implementation of industry standards, and evaluate control improvement opportunities
• Work together with stakeholders to align cybersecurity requirements to our corporate IT, procurement, and privacy departments in context of GRC and NIST CSF 2.0 objectives
• Ensure procedures are up-to-date and communicate methodologies that serve to broaden knowledge of cybersecurity risk processes and industry best practices
• Contribute to security standards, policy reviews, and update GRC processes and practices on an annual or as needed basis to make sure they meet corporate demands
• Assist ECS Cyber Governance in responding to inquiries from the business units and ETX partners about ongoing operational cybersecurity compliance & risk mitigation activities
• Review auditor requests to ensure they are appropriately scoped, review the completeness and accuracy of evidence
• Collaborate with business and engineering teams to identify and enhance existing control processes and assist with preparing necessary materials for audit meetings
• (e.g., control design walkthroughs), follow-up requests, etc.
• Be proactive in seeking out areas for improvement and offer insightful advice and value-added guidance on process and control enhancements
• Independently lead projects, coordinating cross-functional efforts, and ensure proper management communication and project success through completion
• Appropriately escalate issues as needed, and proactive to share information with management to ensure transparency, quality and on time delivery of risk initiatives
• Collaborative mindset to cultivate relationships and ability to communicate with technical and non-technical audiences.

Requirements

• Bachelor's degree in information systems, computer science, cybersecurity, risk management, data analytics or a related field
• 5+ years of direct experience in information security, with a main emphasis on risk and compliance
• 3+ years of expertise conducting cybersecurity assessments and handling audit responses
• Have a good understanding of relevant regulatory compliance requirements and/or emerging regulations (ISO27001, SOC 2, NIST, PCI, GDPR, AI etc.)
• Familiarity with or broad knowledge of various cyber domain controls such as data security, cloud security, identity and access management
• Proven track record of organizing and carrying out several risk and compliance projects
• Effective communication skills and the capability to communicate with cross-functional teams
• Knowledge of GRC tool techniques and best practices (ServiceNow; JIRA; Archer)
• Preferred qualifications: CRISC, CISA, CISM, or CISSP.