Job Description:

Position: Manager, IT Governance, Risk and Compliance

Type: Full-Time | Permanent | Hybrid  

Location: Markham, ON 

Reports to: Director, Security and Infrastructure, IT

Job Overview

The Manager, IT Governance, Risk and Compliance is the IT owner for ICFR, PCI-DSS, NIST Cybersecurity Framework (CSF) 2.0, and Third-Party Risk Management (TPRM). This hands-on leadership role delivers IT controls, evidence, remediation, policy governance, the IT Security Risk Register, and the full TPRM lifecycle while partnering with Finance, Payments, Security, Procurement, and Legal.

Essential Duties             

• Act as the primary IT point of contact for internal and external audit partners on ICFR/ITGC, PCI-DSS, and NIST CSF 2.0 audits.

• Own the IT General Controls (ITGC) portion of the annual ICFR program: scoping, documentation, evidence, walkthroughs, testing support, and remediation.

• Manage the PCI-DSS IT compliance program (Requirements 1–12, A1–A3), including evidence, QSA support, and remediation.

• Lead IT-side implementation and maturity of NIST CSF 2.0 across all six functions.

• Develop, maintain, and govern all IT policies, standards, procedures, and process documentation aligned with ICFR, PCI, and NIST CSF.

• Own and maintain the IT Security Risk Register (identification, assessment, treatment plans, monitoring, and reporting).

• Lead the IT Third-Party Risk Management (TPRM) program: vendor risk assessments, due diligence, ongoing monitoring, contract reviews, scoring, and off-boarding for all technology and cloud vendors in scope for ICFR, PCI, or NIST.

• Coordinate and deliver evidence and responses during internal/external audits and regulatory reviews.

• Track and drive remediation of IT-related findings from audits and TPRM assessments.

• Maintain centralized IT controls library and automated evidence repository.

• Perform regular control self-assessments and continuous monitoring.

• Report compliance status, risk register, and TPRM metrics to IT leadership, Finance, Procurement, and the Audit Committee.

• Stay current on regulatory changes and translate them into actionable IT and vendor requirements.

• Other tasks as assigned.

Skills, Experience, Education, Certifications

• 8+ years of progressive IT governance, risk, compliance, or audit experience.

• Minimum 4 years in a leadership role.

• Direct, hands-on experience delivering IT evidence and remediation for ICFR/ITGC, PCI-DSS, NIST CSF, and Third-Party Risk Management programs.

• Proven ability to work successfully with internal/external audit partners and vendors.

• Professional certification required (one or more): CISA, CISM, CRISC, CISSP-ISSAP, PCIP, or equivalent.

• Strong policy, process documentation, and risk register management skills.

• Hands-on experience running a TPRM program and using vendor risk platforms

Competencies

• Mastery of ICFR/ITGC, PCI-DSS, NIST CSF 2.0, and TPRM

• Policy and process documentation excellence

• IT risk register and vendor risk lifecycle ownership

• Audit coordination and evidence delivery

• Cross-functional partnership (Finance, Security, Payments, Procurement, Legal)

• Calm execution under tight audit and vendor review timelines

Compensation:

The targeted salary range for this position is $125,000 - $135,000 annually. The final offer will be based on factors such as market location, relevant skills, experience and internal equity.