Manager, IT GRC

Position Summary:

Reporting to the Senior Manager – Security Architecture and Governance, the IT Manager –Governance, Risk & Compliance (GRC) plays a key role in ensuring information security and compliance in the 407ETR by being responsible for elaborating and maintaining thorough internal and external audits, vendor due diligence program, and security risk management program. With the collaboration of relevant stakeholders, they develop, maintain and update all IT Security related policies, and control processes within the 407. The incumbent is an experienced professional with expertise and passion in leading, improving organizational processes to ensure Compliance and Risk Management. The Manager will need to balance information security risk and compliance requirements with business enablement.

Responsibilities:

· Drive change and leadership best practices. Draws upon and supports corporate programs to bring consistency to our people strategy. Provides input and direction on future talent programs. Supports Diversity Equity and Inclusion while establishing trust and transparency in a safe and productive work environment.

· Work closely with business units to achieve compliance with requirements and to address related questions and issues.

· Ensure standards, processes, procedures, and associated metrics are documented and met.

· Consult with Application Security, Risk and Controls (Access, Process control).

· Facilitating and preparing and supporting internal and third-party audits.

· Conduct risks assessments.

· Further enhance and mature the existing security and awareness framework to strengthen enterprise risk management, security & awareness, and compliance.

· Assist with Disaster Recovery and Business Continuity planning initiatives.

· Perform assessments and associated remediation activities to ensure systems and controls are configured in accordance with established policy, best practice guidelines and designated compliance frameworks.

Risk Management:

· Develop and improve information risk management strategies and processes.

· Manage and perform risk assessment initiatives, risk registry, etc.

· Enact risk rationalization and implementation of mitigation strategies and monitoring across IT.

· Maintain information risk tolerance threshold metrics and provide guidelines on ensuring information risk exposure is within tolerance limits.

· Identify and communicate issues and risks and work with cross-functional teams to establish risk mitigation strategies where applicable.

Compliance:

· Ensure compliance adherence across programs and initiatives in respect to legislation and regulation, i.e. PCI, ICFR, ITGC

· Perform assessments of technology solutions, third parties, etc., ensuring compliance to the defined security policies, standards and procedures.

Governance:

· Assist the development and maintenance of 407 ETR security policies, procedures and related documents.

· Work on governance frameworks, work with IT Leadership in order to upscale/improve governance methodology and reporting.

· Oversee information security governance related initiatives.

· Assist in the development and maintenance of a Data Governance program including Integration, Classification, Storage and Quality management

Qualifications:

· Minimum of 7 years of IT security, Information Risk Management or related work experience

· College Diploma or University Degree in Computer Engineering, Computer Science, or Audit preferred

· Intermediate to strong working knowledge of O365 and AWS

· Experience with GRC

· One or more of the following or related certifications preferred:

• Certified Information Systems Auditor (CISA)
• Certified Information Systems Manager (CISM)
• Certified in Risk and Information Systems Control (CRISC)
• Certified in the Governance of Enterprise IT (CGEIT)
• Certified Information Systems Security Professional (CISSP)

· Experience with the following IT Security Frameworks required: Payment Card Industry Data Security Standards (PCI DSS), ISO 27001 / 27002, Control Objectives for Information and Related Technology (COBIT), NIST Cybersecurity Framework preferred

· Familiarity with Agile methodologies such as Lean, Scrum and Kanban preferred

· Demonstrated ability to work with internal stakeholders and external vendors

We are actively seeking to fill this role as it is a current vacancy.

About 407 ETR

Highway 407 ETR is an all-electronic open-access toll highway located in the Greater Toronto Area in Ontario, Canada. The highway spans 108 kilometres from Burlington in the west to Pickering in the east. 

407 International Inc. is the sole shareholder of 407 ETR and is owned by: 

• Cintra Global S.E., a subsidiary of Ferrovial S.A. (48.29%)

• Canada Pension Plan Investment Board (CPP Investments) and other institutional investors with non-controlling interests (44.20%)

• Public Sector Pension Investment Board (PSP Investments) (7.51%)

Learn more at 407etr.com

Note: At 407 ETR, we are committed to fostering a diverse, equitable, and inclusive work environment. We value the unique perspectives and backgrounds of all individuals, and we firmly believe that our individual differences make us stronger as a whole.

Our commitment to inclusion extends beyond recruitment and encompasses an inclusive workplace culture through raising awareness, ongoing training, and encouraging feedback. We aim to create a safe and supportive environment where all employees can thrive.

Accommodation for disabilities or other grounds protected by human rights legislation are available upon request for candidates taking part in all aspects of the employment selection process.