Skip to main content

This job has expired

You will need to login before you can apply for a job.

GRC Engineer

Closing date
14 Jul 2024

View more

Citeline, is part of the Norstella group of Pharma information solutions, is one of the world's leading providers of data and intelligence on clinical trials, drug treatments, medical devices and what's new in the regulatory and commercial landscape. Relying on us to deliver vital advantage when making critical R&D and commercial decisions, our customers come from over 3000 of the worlds leading pharmaceutical, contract research organizations (CROs), medical technology, biotechnology and healthcare service providers, including the top 10 global pharma and CROs.

From drug and device discovery and development to regulatory approval, and from product launch to lifecycle management, we provide the intelligence and insight to help our customers seize opportunities, mitigate risk and make business–critical decisions, faster. As the pharma and healthcare sector faces unparalleled upheaval, customers rely on our independent advice, enabling them to cut through the clutter and make sense of changing drug development, regulatory and competitive landscapes.

We are looking for someone who is motivated, driven, and passionate about information security and finding solutions to

complex business challenges. If you join the Norstella Information Security team, your mission will be to help us build and

operate the GRC program. You will have the exciting opportunity to work with internal and external partners to create lowfriction, high–impact solutions that minimize information security risk to our company, customers, and partners.


  • Assess and document information security internal controls as part of on–going compliance efforts including ISO 27001,
  • ISO 27701, GxP, SSAE–16 SOC 2 Type 2 (Standards of Attestations Engagement No. 16, System and Organizations

    Controls Report 2, Type 2), HIPAA, HITRUST, CCPA/CPRA, and GDPR:

    o Ensure effective and efficient control design, implementation, and testing procedures

    o Evaluate internal control gaps and deficiencies and propose remediation strategies; monitor timely resolution

    o Establish metrics and reporting strategies to communicate status, demonstrate progress, and build awareness

    and accountability around control performance

    o Identify process and control improvement / automation / consolidation opportunities

    o Drive increase in maturity of overall control environment

  • Plans implements and maintains the IT security risk management program capabilities and collaborates with
  • Compliance ERM.

  • Provides leadership and supervision over IT risk capabilities and compliance activities.
  • Assures assessment process effectiveness measurement and optimization of IT general controls within a complex
  • technical environment.

  • Assists in the creation and maintenance of security risk management standards processes procedures and other
  • program documentation.

  • Develops and executes methods to identify and consider relevant internal and external data to enhance objective data
  • driven risk models.

  • Prepares reports and presentations for diverse audiences with varying business perspectives on cyber security risks and
  • IT effectiveness.

  • Supports and administers new Governance Risk & Compliance (GRC) tools implementation and utilization.
  • Performs program management assessments and evaluations to determine compliance with PII HIPAA and IT general
  • controls.

  • Maintains a strong understanding of security frameworks (NIST CSF & RMF, NIST SP800–53) and how these frameworks
  • apply to operational activities within the IT environment.

  • Monitors and analyzes security risks and metrics to identify themes trends correlations and variances.
  • Communicates risk intelligence in a manner that enables business decision–making.
  • Provides risk management subject matter expertise.
  • Provides leadership (no direct people management) to individual contributors building risk capabilities and build
  • program oversight.

  • Assists with the design and implementation of the IT Security Risk Registry.
  • Assists in the establishment of program plans procedures data categorizations risk rank modeling and other factors to
  • provide a holistic representation of IT security risks that the client faces.

  • Develops, implements, maintains, and oversees enforcement of policies procedures and associated plans for system
  • security administration and user system access based on industry–standard best practices and internal business forces.

  • Assists in the development and execution of formal control structure and assessment risk methodologies processes and
  • artifacts

  • Assists in the development and maintenance of an enterprise security controls framework
  • Processes analyses and tracks risk exception requests
  • Periodically reviews security controls for effectiveness and design
  • Maintains an awareness of proposed security standards state and federal legislations and regulations pertaining to
  • information security.

  • Identifies IT Security requirement changes that will affect the organizations requirements legal addendums and risk
  • assessments and recommends appropriate changes

  • Work directly with internal and external auditors on audit–related activities including planning and oversight of audits,
  • walkthroughs, testing, documentation of findings, issue remediation and follow–up

  • Partner with process and control owners to provide support, education, and recommendations for strengthening the
  • internal control environment

  • Assist with the strategy, design, development, implementation, and communication of the information security risk and
  • controls program

  • Develop and maintain information security policies, standards, procedures (processes), and guidelines (best practices)
  • Requirements

  • Minimum of 5 years of experience in designing, implementing, and operating an information security audit and
  • assurance program

  • Knowledge of information security controls across multiple technologies including network, operating system,
  • database, applications, and processes:

    o Access Management; Segregation of Duties (SoD)

    o SDLC; Change Management; Configuration Management; Patch Management

    o Operations and Support; Disaster Recovery

  • Experience developing and maintaining information security control documentation including control matrices,
  • narratives and process flows

  • Knowledge of and experience with:
  • o Governance, Risk, and Control (GRC) frameworks, approaches, tools and methodologies

    o SSAE 16 SOC 1 and 2 attestations

    o Information security risk management and risk assessments

    o GxP, State and Federal Regulatory Compliance (CCPA/CPRA, HIPAA/HITRUST), GDPR

    o Governance Risk & Compliance (GRC) tools implementation and management (E.g., OneTrust)

  • Experience measuring compliance with policies, standards, procedures, and guidelines across a variety of information
  • security disciplines

  • Proven track record for delivering results while developing and maintaining professional work relationships
  • Advanced interpersonal and communication skills with the ability to collaborate effectively in a team environment and
  • promote ideas at various levels of the organization

  • Strong self–directed work habits exhibiting initiative, drive, creativity, maturity, self–assurance, professionalism, and the
  • ability to autonomously manage multiple concurrent projects

  • Advanced analytical and decision–making skills
  • Excellent written and verbal communication skills and the ability to translate security objectives into product team

  • Requirements:

  • Ability to communicate technical concepts to business stakeholders
  • Ability to see patterns, commonalities and investigate complex issues
  • Skilled in documenting risk and compliance activities
  • Excellent judgement in prioritizing security efforts to mitigate the appropriate risks
  • An ability to reason about security decisions and communicate security requirements
  • Bachelor's degree (Information Systems Management or Business Administration preferred), or equivalent work
  • experience

  • Certified Information Systems Auditor (CISA) or equivalent professional certification (e.g., CRISC)
  • CISSP or SANS GIAC certification a plus
  • Previous experience in high–tech software company preferred
  • Previous consulting experience is idea
  • Norstella is an equal opportunities employer and does not discriminate on the grounds of gender, sexual orientation, marital or civil partner status, pregnancy or maternity, gender reassignment, race, color, nationality, ethnic or national origin, religion or belief, disability or age. Our ethos is to respect and value peoples differences, to help everyone achieve more at work as well as in their personal lives so that they feel proud of the part they play in our success. We believe that all decisions about people at work should be based on the individuals abilities, skills, performance and behavior and our business requirements. Norstella operates a zero tolerance policy to any form of discrimination, abuse or harassment.

    Get job alerts

    Create a job alert and receive personalised job recommendations straight to your inbox.

    Create alert