The Senior Manager of IT Governance, Risk and Compliance (GRC) should be an experienced leader with significant management experience in IT Risk Management concepts and regulatory frameworks. The Senior Manager will report to the Chief Information Security Officer and will collaborate closely with Information Technology, the Office of Corporate Compliance, Supply Chain, Enterprise Risk Management and Operations. The Senior Manager must be a detail oriented, highly organized self-starter that is an experienced manager of people and a practitioner of GRC.
The Senior Manager of IT GRC will lead a team responsible for enhancing and maintaining a risk and governance program to ensure that information and operational assets are adequately protected through the execution of DLC’s North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) program and IT Risk Management programs. This position is responsible for identifying, evaluating, and reporting on information security risks in a manner that meets compliance/regulatory requirements and supports the risk posture of the enterprise. The position is responsible for ensuring that Duquesne Light's information security objectives are met.
Experience with NERC CIP standards is preferred as this position plays a significant role in the day-to-day execution and oversight of DLC’s NERC CIP program. The Senior Manager should drive employee engagement and understanding of the NERC CIP regulations and requirements to ensure DLC maintains compliance, mitigates risk, and ensures appropriate and specific controls are in place to meet DLC’s obligations.
Establishment, enhancement and ongoing maintenance of Information Security governance, risk, and compliance program including management of staff, budget, projects, information security strategic plans and priorities.
Develops, maintains, and publishes up-to-date information security policies, standards, and guidelines. Oversee the approval, training, and dissemination of security policies and practices.
Provides oversight and management of DLC’s cybersecurity supply chain risk management program Creates, communicates, and implements a risk-based process for vendor risk management, including the assessment and treatment for risks that may result from partners, consultants, and other service providers.
Creates and manages information security and risk management awareness training programs for all employees, contractors, and approved system users.
Works directly with the business units to facilitate IT risk assessment and risk management processes and works with stakeholders throughout the enterprise on identifying acceptable levels of residual risk.
Provides strategic risk and regulatory guidance for IT projects.
Ensures that security programs are following relevant laws, regulations, and policies to minimize or eliminate risk and audit findings.
Maintains relationships with leaders in IT Enterprise Risk and Compliance Departments.
Maintains management reports, metrics associated with information security risk, compliance and other functional areas as defined by management.
Establishes and oversees formal risk analysis and self-assessments program for various Information Services systems and processes.
Oversees information security policies, standards, guidelines, and baselines. Ensures policies are reviewed and updated regularly.
Manages, coaches, leads, and develops a staff of GRC personnel.
Oversees the development, management and monitoring of the corporate wide information security awareness program.
Supports the CISO and Chief Compliance Officer (CCO) in meeting reporting obligations and evidence requirements, including FERC, NERC, PUC and other regulatory requirements and ensures documentation and processes for each effort are in place for audits, spot checks, or other compliance oversight in support of meeting regulatory obligations. Education/Experience Requirements: Roles at this level require a university/college degree. Higher level education such as a master’s degree, PhD, or certification is desired. Relevant experience to be successful in the given role is typically 10+ years. At least 3+ years of prior management experience is required.
Preferred: Utilities industry experience with NERC CIP regulatory responsibilities.