GRC Engineer

Relying on us to deliver vital advantage when making critical R&D and commercial decisions, our customers come from over 3000 of the worlds leading pharmaceutical, contract research organizations (CROs), medical technology, biotechnology and healthcare service providers, including the top 10 global pharma and CROs.

As the pharma and healthcare sector faces unparalleled upheaval, customers rely on our independent advice, enabling them to cut through the clutter and make sense of changing drug development, regulatory and competitive landscapes.

We are looking for someone who is motivated, driven, and passionate about information security and finding solutions to

complex business challenges. If you join the Norstella Information Security team, your mission will be to help us build and

operate the GRC program. You will have the exciting opportunity to work with internal and external partners to create lowfriction, high-impact solutions that minimize information security risk to our company, customers, and partners.

• Assess and document information security internal controls as part of on-going compliance efforts including ISO 27001,

ISO 27701, GxP, SSAE-16 SOC 2 Type 2 (Standards of Attestations Engagement No. 16, System and Organizations

Controls Report 2, Type 2), HIPAA, HITRUST, CCPA/CPRA, and GDPR:

o Ensure effective and efficient control design, implementation, and testing procedures

o Evaluate internal control gaps and deficiencies and propose remediation strategies; monitor timely resolution

o Establish metrics and reporting strategies to communicate status, demonstrate progress, and build awareness

and accountability around control performance

o Identify process and control improvement / automation / consolidation opportunities

• Plans implements and maintains the IT security risk management program capabilities and collaborates with

• Provides leadership and supervision over IT risk capabilities and compliance activities.
• Assures assessment process effectiveness measurement and optimization of IT general controls within a complex

• Assists in the creation and maintenance of security risk management standards processes procedures and other

• Develops and executes methods to identify and consider relevant internal and external data to enhance objective data

• Prepares reports and presentations for diverse audiences with varying business perspectives on cyber security risks and

• Supports and administers new Governance Risk & Compliance (GRC) tools implementation and utilization.
• Performs program management assessments and evaluations to determine compliance with PII HIPAA and IT general

• Maintains a strong understanding of security frameworks (NIST CSF & RMF, NIST SP800-53) and how these frameworks

• Monitors and analyzes security risks and metrics to identify themes trends correlations and variances.
• Communicates risk intelligence in a manner that enables business decision-making.
• Provides risk management subject matter expertise.
• Provides leadership (no direct people management) to individual contributors building risk capabilities and build

• Assists with the design and implementation of the IT Security Risk Registry.
• Assists in the establishment of program plans procedures data categorizations risk rank modeling and other factors to

• Develops, implements, maintains, and oversees enforcement of policies procedures and associated plans for system

• Assists in the development and execution of formal control structure and assessment risk methodologies processes and

• Assists in the development and maintenance of an enterprise security controls framework
• Processes analyses and tracks risk exception requests
• Periodically reviews security controls for effectiveness and design
• Maintains an awareness of proposed security standards state and federal legislations and regulations pertaining to

• Identifies IT Security requirement changes that will affect the organizations requirements legal addendums and risk

• Work directly with internal and external auditors on audit-related activities including planning and oversight of audits,

• Partner with process and control owners to provide support, education, and recommendations for strengthening the

• Assist with the strategy, design, development, implementation, and communication of the information security risk and

• Develop and maintain information security policies, standards, procedures (processes), and guidelines (best practices)

• Minimum of 5 years of experience in designing, implementing, and operating an information security audit and

• Knowledge of information security controls across multiple technologies including network, operating system,

database, applications, and processes:

o Access Management; Segregation of Duties (SoD)

o SDLC; Change Management; Configuration Management; Patch Management

• Experience developing and maintaining information security control documentation including control matrices,

• Knowledge of and experience with:

o Governance, Risk, and Control (GRC) frameworks, approaches, tools and methodologies

o SSAE 16 SOC 1 and 2 attestations

o Information security risk management and risk assessments

o GxP, State and Federal Regulatory Compliance (CCPA/CPRA, HIPAA/HITRUST), GDPR

• Experience measuring compliance with policies, standards, procedures, and guidelines across a variety of information

• Proven track record for delivering results while developing and maintaining professional work relationships
• Advanced interpersonal and communication skills with the ability to collaborate effectively in a team environment and

• Strong self-directed work habits exhibiting initiative, drive, creativity, maturity, self-assurance, professionalism, and the

• Advanced analytical and decision-making skills
• Excellent written and verbal communication skills and the ability to translate security objectives into product team

Requirements:

• Ability to communicate technical concepts to business stakeholders
• Ability to see patterns, commonalities and investigate complex issues
• Skilled in documenting risk and compliance activities
• Excellent judgement in prioritizing security efforts to mitigate the appropriate risks
• An ability to reason about security decisions and communicate security requirements
• Bachelor's degree (Information Systems Management or Business Administration preferred), or equivalent work

• Certified Information Systems Auditor (CISA) or equivalent professional certification (e.g., CRISC)
• CISSP or SANS GIAC certification a plus
• Previous experience in high-tech software company preferred
• Previous consulting experience is idea

Norstella operates a zero tolerance policy to any form of discrimination, abuse or harassment.#LI-REMOTE