Governance, Risk and Compliance (GRC) Lead
We’re a large scale systems integration company, committed to delivering trusted solutions that help to safeguard Australia. With over 20 years’ local experience and the backing of a 32,000 global network, we currently number 1,000 employees mainly in Canberra and Melbourne. We’re growing fast and are building a business that is focused and fit for the future. Change and innovation are central to the way we work, and we thrive when developing unique, practical solutions to seriously complex challenges.
Your New Role:
Passionate about Governance, Risk and Compliance (GRC)? This Lead position is pivotal in ensuring the ongoing ICT security Governance, Risk & Compliance (GRC) for a Federal Agency Program delivering End User Technology Services and Enterprise Service Management Centre services here in Canberra.
This permanent opportunity will be responsible for providing GRC services to major projects and programs to ensure compliance with the applicable Information Assurance (IA) frameworks, policies, and standards (with particular focus on Information Security manual (ISM), Protective Security Policy Framework (PSPF) and Agency policies.
Duties include, but not limited to:
Develop, implement and maintain security governance, including security frameworks, policies, and standards, for major ICT programs in accordance with the ISM and Agency policies
Develop, implement and maintain the Security Risk Management Plans (SRMPs), System Security Plans (SSPs), Security Risk Assessments, Statement of Applicability (SOAs) to support ongoing system management and Program delivery
Develop assessment and conformance evaluation criteria to ensure successful system risk acceptance and the creation of approved Programs of Actions and Milestones (POA&M).
Maintain and improve the system security governance package
Liaise with service delivery areas, client management, Project Management and client security areas to ensure security processes are appropriately designed, effective, implemented and maintained
Conduct routine audits to validate the conformance and effectiveness of system security control framework to ensure risks remain in tolerance.
Lead the identification, implementation and review of the full range of I&A measures to ensure certification and accreditation is maintained in a complex Federal Agency environment.
About you and what you'll bring
Experience in performing and/or successfully preparing for technical security audits, assessments (including IRAP), re-certification across ICT program delivery
Experience in working with operational teams to achieve a ‘Secure by Design’ outcome that ensures risks are identified and appropriately managed.
Substantial experience in delivering and securing End User Technology Services
Technical background with understanding of commonly deployed security tools, Active Directory and Managed Operating Environment (MOE). (Device Security, Identity Security, Information Security, Mobility, Security Analytics) in a Government context
Previous experience working in a IT Security Officer, Security Manager or IT Security Operations type role.
Substantial experience collaborating with business partners, application development, and technical teams to establish security requirements and ensuring that these objectives were satisfied
Collaborating with client and internal teams to develop and maintain security documentation (SSP, SRMP, SOA, etc.)
Experience or demonstrated knowledge in applying policy and compliance assessment at a technical level across networks, Windows and Unix/Linux environments in the Government context
Familiar with security frameworks and standards (PSPF, ISM, ISO27001, NIST CSF and related key documents)
Knowledge of commonly used risk management methodologies (ISO 31000, NIST CSF and related key documents)
Ability to develop and maintain clearly written documentation (technical, procedural and policy)
Persuasive communication skills when dealing with stakeholders in wide ranging roles and areas of the business
Experience in large scale Enterprise environments and ITIL processes.
Bachelor's Degree in Computer Science, Information Security, Information Systems, or related field, or equivalent professional experience and specialised training commensurate with assignment; or applicable security certifications such as CISSP, CISA, CISM, GIAC, etc.
Experience in Vulnerability Assessment (VA) or Penetration Testing is desirable
Experience in hybrid cloud environments
Started your career in a technical role and transitioned to governance, risk and compliance
This role will require the successful applicant to be an Australian Citizen with a current NV1 and ability to obtain NV2.
At Leidos, we’ve built our business on the ability to Redefine Possible and the same applies to your career. We proudly embrace diversity and support our people at every stage of their Leidos journey in terms of inclusion, accessibility and flexibility. We look forward to welcoming you.
For more information, visit www.Leidos.com