About the job
Performance Food Group (PFG) is looking for a talented Mgr, Information Security to play a key role in overseeing Information and Privacy Risk Management aspects of the company as a member of the Information Security Department. As PFG strives to mature it’s Information Security program, there is an increasing need to establish a Risk Management function that focuses on identifying, quantifying, communicating, and tracking risks associated with information assets. Reporting to the Vice President of Information Security and Compliance and working with IT and line of business stakeholders, the Manager will have a heavy focus on compliance with internal/external policies/statutes, IT Risk Management, and Third Party Risk.
Perform assessments of IT controls processes, and systems, identifying gaps and opportunities to enhance design\operational effectiveness while reducing the cost of compliance. Conduct periodic readouts and risk reviews with IT teams and segment/line of business stakeholders to convey risk and influence decision making. Establish and maintain a Business Impact Assessment of Information Assets with inputs from IT and line of business stakeholders
Work with IT and LOB teams to conduct and maintain a Business Impact Analysis, establishing risk categorizations for applications and infrastructure based on mission criticality and sensitivity of hosted data.
Work with IT Service Delivery teams, functional line of business application owners, and internal/external counsel on driving compliance with privacy mandates.
Coordinate with Information Security and Infrastructure teams on driving compliance with PFG’s Data Classification Policy
Establish and maintain an IT Risk and exception management process and source of record to ensure ongoing management and prioritization of operational, financial, reputational, and regulatory risk.
Manage PFG’s Third Party Risk Management Program, assessing third parties for inherent and residual risk based on the nature of their services and their ability to appropriately secure PFG data and provide dependent services
Negotiate the inclusion of security requirements into third party contract agreements.
Develop and Maintain IT Audit and Control documentation
Establish communication and training plans for areas of responsibility
Establish and report metrics associated with areas of responsibility
Establish necessary governance forums (committees, working groups) to ensure sound decision-making and stakeholder communications.
Identify and report on non-compliance with regulatory mandates (i.e. Sarbanes Oxley section 404 PCI DSS, HIPAA, GDPR, CCPA)
Conducts operational audits as necessary
5 – 7 Years
College degree and 5 years of related work experience, or equivalent substantive work experience
- Experience performing IT and security risk assessments, using both qualitative and quantitative methods to identify, quantify, and communicate risk
- Working knowledge of privacy statutes including the European Union General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)
- Experience in assessing hosted service architectures (SaaS, PaaS, IaaS)
- Experience performing third party assessments across information security and control domains, using industry tools/frameworks such as the Cloud Security Alliance, evaluation of Service Organization Controls (SOC) attestations. Manage supplemental evaluation Service Providers
- Experience with Data Classification, Data Security, and Data Loss Prevention methods and tools, specially Microsoft Azure Information Protection
- Strong MS Office skills (specifically PowerPoint, Word, Excel, Project, Visio)
- Strong process analysis and engineering skills
- Experience conducting and documenting business impact analysis, designing and implementing Business Continuity/Disaster Recovery plans
- Experience conducting Risk Assessments
- Experience with IT assurance mandates/frameworks such as Sarbanes-Oxley, CobIT
- Demonstrated leadership skills
- Demonstrated high level of analytical and problem solving skills
- Excellent written and verbal communication skills
- Ability to influence cross functional and highly matrixes business and IT stakeholders
- CISA, CISM, and\\or CISSP certification
- Address Richmond, VA, USA
- Salary Offer $100.000 ~
- Experience Level Manager
- Total Years Experience 5-10