Ball Corporation is currently looking for a motivated and nimble person for the position:

IT Governance, Risk & Compliance (GRC) Analyst II

(Location: GBS Belgrade)

Primary purpose of position:

The IT Governance, Risk & Compliance (GRC) Analyst II is a critical member of the Global Ball Security Team working for the Manager of IT GRC.  The GRC Analyst II is responsible for all Global IT Security Policy and Awareness efforts, IT risk assessments, Regulatory compliance and support of IT audits.  This position drives awareness of risk and appropriate measures to manage risk across the business, enabling business and technology stakeholders to make informed and accountable decisions with regards to the protection of Ball Corporation and its information assets.

Reports to: IT GRC Manager

Main tasks:

• Develop, globally ratify, enforce and maintain the Information Security policies and standards
• Facilitate ongoing (regularly scheduled and ad hoc) external security risk assessments and serve as point of contact to internal audit and other stakeholders on security assessments and audits
• Effectively manage risk using our IT Security risk matrix, including overall prioritization of findings, proactive mitigation planning, stakeholder communications and management of remediation activities
• Provide IT coordination and assurance for all external compliance efforts including Global Privacy, SOX, HIPPA, etc. as well as ensure internal compliance with security policies and standards
• Develop and support all aspects of the Ball information security training and awareness program development and execution to include continuing evaluation for program effectiveness and improvement
• Perform Vendor / supplier security risk assessments and provide business recommendations
• Develop local information security policies, standards and procedures, ensuring a compliant environment based on statutory, legal and Ball defined information security requirements
• Work with stakeholders to globally ratify IT security policies and controls
• Maintain information security policies and standards including annual reviews and updates
• Collaborate with all teams to communicate and enforce security controls
• Establish and oversee a formal IT security risk analysis and self-assessment program
• Perform assessments of the IT security/risk posture within the IT network, systems and software applications (including using 3rd parties, as needed)
• Identify opportunities to reduce risk and document remediation options regarding acceptance or mitigation of risk scenarios
• Address questions and coordinate remediation from internal and external audits and examinations
• Work with the rest of the Global Security Team to identify and resolve security and risk gaps in the security program with an aim to reduce the impact/occurrence of security related incidents
• Coordinate and liaise with Legal and Internal audit teams to support operational, legal, and regulatory requirements such as Global Data Privacy, SOX, HIPPA, etc.
• Identify the top human risks to our organization and the behaviors we need to change to mitigate those risks
• Coordinate activities to create information security awareness within the organization (trainings, workshops, open forums)
• Train and motivate employees to make compliance and information security an inherent part of our corporate culture
• Work in concert with communications staff within the Ball corporate environment to effectively socialize safe and secure computing practices and procedures
• Develop and execute communication and marketing strategies focused on security policies, standards, and guidelines via all available channels including internal social media, email, online portal and print campaigns
• Maintain a repository/library of content materials for security awareness training, communications, and marketing
• Interpret and summarize technical information for presentation to non-technical business resources
• Partner with Global IT security to conduct and manage an ongoing company-wide cyber phishing training program
• Partner with Corporate Communications to effectively convey Awareness messages to employees and contractors
• Ensure that our security awareness program communicates our security policies and requirements so that people know, understand and can follow them
• Create a positive program that engages employees, to include focusing on changing behaviors both at home and at work
• Ultimately, we want our employees to demonstrate the same secure behaviors regardless of where they are or the devices they are using
• Display practical knowledge of different message distribution techniques to ensure end user communities understand and continually apply the required behavioral change necessary to reduce human risk
• Adapt strategy to incorporate and address emerging technologies and risks.
• Create a metrics framework that can effectively measure engagement, behaviors, and impact
• Reference: zE8t59QuR3z7hbzASBtYWK5QNhSIXuWQWfUgDJENonk.

Requirements:

Qualifications and experience

• The GRC Analyst II should have no fewer than 2+ years of direct experience and expertise in information security
• 4+ years of experience in coordination of IT Security Policy, Risk Management, Compliance and Awareness efforts within a global corporation (multicultural environment) desired
• Degree (BS or MS) in computer science/engineering, Cybersecurity or related field
• Fluency in English and strong written and verbal communications
• Creative thinking and understanding of audience to produce engaging materials in a variety of formats and media, including storyboards, user guides, and gamification elements
• Resilience and flexibility to explore different paths to achieve an outcome and adjust quickly and efficiently to new circumstances and measured results
• Calmness and clarity of thought under pressure and ability to maintain confidentiality
• A high degree of independence, integrity and confidentiality
• Maintain expertise on security trends through training, research and development in order to mitigate potential security exposures
• Accept responsibility and personal accountability
• Ability to communicate in a simple, clear and concise manner to the various communities within our organization
• Confidently deliver ‎presentations and is able to respond ‎to questions.
• Minimum professional certifications:
  • Military or formal vocational technical training in computer science desired but not required
  • Job Qualification Records may be presented in lieu of certain certifications
  • At least one professional certification from the following requested
  • (ISC)2 CISSP (Certificate Information Systems Security Professional
  • SANS SEC 401: Security Essentials
  • ISACA CISM: Certified Information Security Manager
• Very good understanding of governance standards including NIST, COBIT, ISO 27001.
• Thorough understanding of security requirements of Sarbanes-Oxley and Data Privacy laws are desired
• Very good understanding of security requirements for Cloud environment (e.g. Cloud Security Alliance)
• Capable of identifying need & driving solutions, and providing guidance, in an autonomous manner
• Experience in driving technology solutions in large, complex organizations.
• Ability to translate complex security communications / messages in a simple, clear and concise manner to the various communities within our organization. This can include different cultures, nationalities, international locations and languages
• Strong customer/client focus, with the ability to manage expectations appropriately; provide a superior customer/client experience and build long-term relationships
• Understanding of the concepts of information risks and the different elements that make up risk
• Synthesize and communicate to effectively show relationship between safe computing practices and actual risk posture
• Stay up to date on the direction of emerging security issues and assess the need for out-of-cycle, and other out-of-band, communications with employees and contract personnel
• Ability to prioritize and multitask. Flexibility and adaptability in work approach
• Strong collaborative skills and proven ability to work in a diverse global team
• Interact appropriately with others in order to maintain a positive and productive work environment
• Self-motivated
• Proven ability to work under stress in emergencies, with the flexibility to handle multiple high-pressure situations simultaneously
• Ability to maintain a regular and predictable work schedule around such emergencies.
• Perform other duties as necessary

If you are interested in the above position and your profile fits with the above requirements, please send us your resume. Please note that only shortlisted candidates will be contacted.

Deadline for applications: 09.12.2019.