Hybrid: Markham, Ontario
Job Description:Position: Manager, IT Governance, Risk and Compliance
Type: Full-Time | Permanent | Hybrid
Location: Markham, ON
Reports to: Director, Security and Infrastructure, IT
Job Overview The Manager, IT Governance, Risk and Compliance is the IT owner for ICFR, PCI-DSS, NIST Cybersecurity Framework (CSF) 2.0, and Third-Party Risk Management (TPRM). This hands-on leadership role delivers IT controls, evidence, remediation, policy governance, the IT Security Risk Register, and the full TPRM lifecycle while partnering with Finance, Payments, Security, Procurement, and Legal.
Essential Duties - Act as the primary IT point of contact for internal and external audit partners on ICFR/ITGC, PCI-DSS, and NIST CSF 2.0 audits.
- Own the IT General Controls (ITGC) portion of the annual ICFR program: scoping, documentation, evidence, walkthroughs, testing support, and remediation.
- Manage the PCI-DSS IT compliance program (Requirements 1-12, A1-A3), including evidence, QSA support, and remediation.
- Lead IT-side implementation and maturity of NIST CSF 2.0 across all six functions.
- Develop, maintain, and govern all IT policies, standards, procedures, and process documentation aligned with ICFR, PCI, and NIST CSF.
- Own and maintain the IT Security Risk Register (identification, assessment, treatment plans, monitoring, and reporting).
- Lead the IT Third-Party Risk Management (TPRM) program: vendor risk assessments, due diligence, ongoing monitoring, contract reviews, scoring, and off-boarding for all technology and cloud vendors in scope for ICFR, PCI, or NIST.
- Coordinate and deliver evidence and responses during internal/external audits and regulatory reviews.
- Track and drive remediation of IT-related findings from audits and TPRM assessments.
- Maintain centralized IT controls library and automated evidence repository.
- Perform regular control self-assessments and continuous monitoring.
- Report compliance status, risk register, and TPRM metrics to IT leadership, Finance, Procurement, and the Audit Committee.
- Stay current on regulatory changes and translate them into actionable IT and vendor requirements.
- Other tasks as assigned.
Skills, Experience, Education, Certifications - 8+ years of progressive IT governance, risk, compliance, or audit experience.
- Minimum 4 years in a leadership role.
- Direct, hands-on experience delivering IT evidence and remediation for ICFR/ITGC, PCI-DSS, NIST CSF, and Third-Party Risk Management programs.
- Proven ability to work successfully with internal/external audit partners and vendors.
- Professional certification required (one or more): CISA, CISM, CRISC, CISSP-ISSAP, PCIP, or equivalent.
- Strong policy, process documentation, and risk register management skills.
- Hands-on experience running a TPRM program and using vendor risk platforms
Competencies- Mastery of ICFR/ITGC, PCI-DSS, NIST CSF 2.0, and TPRM
- Policy and process documentation excellence
- IT risk register and vendor risk lifecycle ownership
- Audit coordination and evidence delivery
- Cross-functional partnership (Finance, Security, Payments, Procurement, Legal)
- Calm execution under tight audit and vendor review timelines
Compensation: The targeted salary range for this position is $125,000 - $135,000 annually. The final offer will be based on factors such as market location, relevant skills, experience and internal equity.
