- The Director, Governance, Risk & Compliance (GRC) will ensure that we provide the technology and business teams with the appropriate level of compliance to external regulations and internal requirements.
- This role will lead our effort to reach a state of continuous compliance by partnering and engaging with our technology, business, and brand teams to adhere to policies, reduce securityrisks and maintain compliance.
- The initial focus will be to establish, maintain and advance an overall IT GRC framework which supports RCCL IT global environments including shoreside, shipboard, subsidiary companies, mobile and cloud-based services.
- This position will also define how RCCL will meet mandatory regulatory requirements such as GDPR, SOX, PCI, HIPAA and Privacy compliance requirements and direct related activities across IT, within business units and external solution providers accordingly.
Essential Duties and Responsibilities:
- Ensure that security technology intended to protect company systems and information is configured and operating according to established standards. Validate that logging mechanisms are appropriately implemented in order toto ensure that anomalous activity or attacks on RCCL systems can be detected by the Incident Management team.
- Lead and mentor a team of security analysts and IT Control Owners to conduct GRC activities including implementing and improving processes and technology solutions.
- Oversee the validation of risk assessments, process and technology control designs, control gap identification, test scripts and evidence and identification of compensating controls.
- Oversee IT GDPR, PCI, SOX and other regulatory or contractual obligation efforts including control design, implementation and execution. Facilitate annual IT SOX control walkthrough process including control activity reviews, process
- Manage annual SOX, PCI DSS testing, internal audits, remediation tracking, evidence collection and risk identification. Facilitate module enhancements to streamline and simplify IT aspects of the testing process.
- Manage IT remediation process including tracking and resolutions of findings from internal and/or external audit findings, risk assessments, self-reported items and other control assessments.
- Ensure that appropriate remediation plans are developed to appropriately mitigate vulnerabilities and defects in a timely manner to reduce risk to systems and information. Where potential system weaknesses are identified, partner with other team members within Information Security, IT and business units to implement compensating controls.
- Develop and maintain a strong partnership with Senior IT Management, Internal Audit, Ethics and Compliance, Enterprise Risk, other relevant business units and third-party vendors to ensure that there is an effective understanding, awareness and adoption of their responsibilities as they relate to compliance requirements such as GDPR, SOX, PCI, HIPAA, and Privacy, within their areas.
- Facilitate the IT written response process (i.e., management responses).
- Oversee IT governance documentation review and assessment process.
- Lead the development of technical standards and procedures for IT and business units regarding how to securely configure and implement technology.
- Lead and champion company-wide Information Security Awareness Program that promotes security as a shared responsibility across company leadership, employees, and crew members.
- Expected to create and manage budget in own operating group and/or projects under their supervision
- Solid understanding of accounting rules for expense and capital activities
- Ensures efficient utilization of staff and non-labor resources and accurate forecasting
- Solid understanding of IT estimation activities. May lead large/complex estimation activities
- Accountable for financial implications and cost of systems and services
- Responsible for defining optimization opportunities to reduce operational expenses
- Bachelor’s degree in Information Systems or equivalent industry experience.
- 10-12 years of experience within Information Security
- CISSP Certification
- CISA Certification
Knowledge and Skills:
- Understanding of compliance controls related to regulatory frameworks such as HIPAA, PCI, and SOX. Well versed on certification purposes and processes for ISO and SSAE-16 certifications.
- Proven technical expertise across IT applications, infrastructure and information security products (i.e. firewalls, IPS, SIEM, proxy) and application security/vulnerability testing tools and techniques.
- Ability to lead technical resources both within the company and at third party vendors.
- Ability to identify, prioritize and communicate remediation activities based on risk to the overall enterprise.
- Strong communication skills including the ability to influence others.
- Proven ability to builds strong relationships with Senior Leadership, IT Staff and peers.
- Requires travel to supportinternal business partners
- Will require travel to RCL offices, ships, and 3rd party service provider facilities.