GRC Specialist

IT Risk & Cybersecurity GRC

Position: GRC Specialist / Senior Analyst Governance, Risk & Compliance

Experience: 6 Years

Industry: Insurance (Life/General/Health)/BFSI

Role Overview

We are seeking an experienced IT Risk & Cybersecurity GRC professional (6+ years) to oversee our governance, internal audit readiness, regulatory compliance posture and user access review framework within a regulated insurance environment.

The role will play a critical part in managing internal audits, IRDAI/CERT-IN compliance, user access governance, third-party risk, control testing and executive risk reporting.

The ideal candidate must have hands-on experience as both:

• An auditee for regulatory and internal audits
• A control assessor / reviewer conducting independent internal reviews

Key Responsibilities

Risk & Control Governance

• Strong understanding of IT Risk Management lifecycle (Integrated Risk Management, Risk and Control Self-Assessment, Information Risk Assessment, Business Impact Assessment)
• Perform risk assessments and control testing across IT and cybersecurity domains
• Identify control gaps and design new controls aligned with evolving threat landscape
• Track and ensure timely closure of audit observations and risk issues
• Maintain risk registers and document risk acceptance where applicable
• Coordinate security incident reporting, root cause analysis and remediation tracking.

Internal & Regulatory Audit Management

• Act as primary auditee for:
• IRDAI Cyber Security Audits
• CERT-IN compliance
• Internal audits (including Big 4)
• Financial & ITGC audits
• Coordinate evidence submission and stakeholder responses
• Conduct internal mock audits to assess control effectiveness
• Ensure 100% closure of audit issues within agreed timelines
• Track remediation and report to senior leadership

User Access Governance

• Deep understanding of:
• Privileged Access Reviews
• Normal User Access Reviews
• Role-based access control (RBAC)
• Segregation of Duties (SoD)
• Joiner-Mover-Leaver (JML) process
• Conduct periodic UAR across applications and infrastructure
• Validate access appropriateness and least privilege principles
• Coordinate with business owners and application teams for certifications
• Review PAM controls and session monitoring
• Publish interim and final access review reports

Third Party Risk Management

• Conduct third-party risk assessments during onboarding in accordance to the organization's risk tolerance
• Perform annual continuous risk reassessment
• Evaluate vendor BCP/DR capabilities
• Ensure contractual security clauses are aligned with regulatory expectations
• Track vendor remediation actions

KPI / KRI / KCI Management

• Define and track security KPIs, KRIs and KCIs
• Develop risk dashboards for senior management and governance forums
• Present risk posture updates to leadership

Regulatory Compliance (Insurance Sector)

• Interpret and implement circulars from:
• IRDAI
• CERT-IN
• Other applicable regulators
• Translate regulatory expectations into actionable control implementations
• Conduct gap assessments against regulatory mandates especially the DPDP act
• Drive remediation programs

Policy & Framework Management

• Review and update ISMS and BCMS policies and procedures
• Align with ISO 27001, internal group standards and regulatory requirements
• Drive policy modernization initiatives
• Coordinate with cross-functional teams to ensure policy adoption and compliance.

Business Continuity & DR

• Support Business Continuity Planning (BCP) and Disaster Recovery (DR) compliance requirements.
• Participate in DR drills and ensure documentation readiness.
• Creating and analyzing weighted, risk-based matrix to categorize applications based on their business and information security criticality.

GRC Platforms & Reporting

• Hands-on experience with GRC tools such as:
• IBM OpenPages (preferred)
• Archer / MetricStream / equivalent
• Maintain risk registers and issue trackers
• Generate dashboards and executive reports

Security Awareness & Training

• Design and rollout training programs in accordance to the evolving threat landscape
• Support awareness initiatives to uplift control maturity

Mandatory Skills & Experience

• 6+ years in IT Risk / Cybersecurity GRC (BFSI/Insurance preferred)
• Strong audit handling experience (IRDAI exposure highly preferred)
• Demonstrated experience in User Access Reviews (non-negotiable)
• Experience with PAM, access governance and audit evidence validation
• Good understanding of IT infrastructure, cybersecurity concepts and vendor risk processes.
• Strong communication, documentation & reporting skills
• Exposure to senior governance forums
• Ability to independently drive remediation
• Analytical thinking and problem-solving.
• Attention to detail and ability to handle multiple compliance workstreams.

Preferred Qualifications

• Bachelor's degree in IT, Computer Science, Engineering, or related field.
• ISO 27001 Lead Implementer / Auditor
• CISA / CRISC / CISSP (added advantage)
• Experience in regulated insurance environment

What We Are Looking For

A hands-on, detail-oriented, audit-mature GRC professional who:

• Can independently manage regulatory interactions
• Understands risk deeply (not checklist-based)
• Has strong user access governance expertise
• Can present confidently to senior leadership
• Can drive closure without supervision