Cibersecurity- Grc Analyst

Cibersecurity
- GRC Analyst

Country: Portugal

**Mission**

Set and supervise Subsidiary cyber governance in line with Global CISO Organization ensuring different teams of the Group work under a common model aligned with Santander business strategy and objectives; managing cyber security risk posture and complying with agreed internal policies and procedures and external regulations; coordinating the governance model and preparing official reporting to respective governing bodies in the entity

**MAIN DUTIES AND RESPONSABILITIES**
- Set and supervise the implementation of Subsidiary cyber strategy and objectives achievement, aligned with Group’s cyber strategy and delivery of on-demand strategic outputs to support operational teams.
- Understand, monitor and report key cybersecurity indicators in collaboration with others Subsidiary cybersecurity areas and technical teams to enable performance monitoring.
- Drive implementation of Group’s cybersecurity policies, standards and controls in the Subsidiary, in compliance with applicable laws, regulations and international standards (i.e. EBA/ECB, SOX, PCI, Swift, NIST, CIS, etc.) to manage cybersecurity emerging threats and risks trends.
- Monitor compliance of cyber regulation ((framework, policies, standards and guides) and manage non-compliances, including waivers and exceptions.
- Engage and adopt Group’s Cyber Control Framework and internal control maturity assessment process.
- Assess, manage, and report cyber security risks to the Subsidiary and to Global CISO Organization.
- Coordinate Subsidiary cyber teams to support Global GRC team in the execution of independent assessments, audits and regulatory inspections of cybersecurity controls and certifications reviews (e.g.: ISO, PCI DSS, SOX) performed by internal/external parties, and support on the remediation of recommendations.
- Ensure that Subsidiary third-parties/vendor ecosystem is properly evaluated, assessed and managed to minimize risk exposure and risk impacts to the business, aligned with Group’s cybersecurity policies and standards.

**KNOWLEDGE AND SKILLS**
- Standards, Procedures & Policies: Knowledge of and the ability to utilize a variety of administrative skill sets and technical knowledge to develop and implement strategy, plans, policies, standards and procedures in compliance with laws and regulations in support of organizational cyber activities.
- Cybersecurity Risk Management: Knowledge of tools, techniques, approaches and processes of cybersecurity risk management; Ability to identify and assess the severity and potential impact of risks. Communicate risk assessment findings to risk owners in a way that consistently drives objective, fact-based decisions about risk that optimize the trade-off between risk mitigation and business performance.
- Information Security Certifications and Audits: Knowledge of and the ability to utilize tools and techniques for assessing the effectiveness of information security measures, identifying potential risk exposures, and protecting the availability, confidentiality and audit trails of information from destruction or manipulation. Understanding of various risk and security certifications and attestations (SOC2, ISO 27001, etc.)
- Information Security Law and Regulations: Knowledge of domestic and international laws governing information security; ability to interpret and take action on the aspects of information security laws that impact the business (for example: Sarbanes-Oxley Act (SOX), Payment Card Industry Security [PCI] Standards, General Data Protection Regulation [GDPR])
- Industry certifications relating to security and risk management are desired
- Data Gathering and Reporting: Knowledge of tools, techniques and processes for gathering and reporting data; ability to practice them in a particular department or division of a company. Knowledge of how to leverage research and development centres, think tanks, academic research, and industry systems.
- Decision Making and Critical Thinking: Knowledge of the decision-making process and associated tools and techniques; ability to accurately analyse situations and reach productive decisions based on informed judgment.
- Effectiveness Measurement: Knowledge of effective measurement techniques and ability to measure the quality and quantity of work effort for the purpose of improvement.
- Santander cada um de nós é “Risk Pro”. Isto significa ter a responsabilidade pessoal de identificar, avaliar, gerir e reportar eventuais riscos para o banco decorrentes do desempenho das nossas funções. Vamos dar-lhe o conhecimento e as ferramentas para ser Risk Pro em todas as situações. Esta cultura de riscos é fundamental para o Santander Way, a nossa forma de trabalhar. _