Senior GRC Security Analyst

Description

Job Summary: Bidweb is seeking a Senior GRC Security Analyst to protect information, ensure compliance, and foster a digital security culture aligned with customer needs. Key Highlights: 1. Frontline of cybersecurity and protection for diverse customers 2. Critical role in information protection and regulatory compliance 3. Promotion of an information security culture **Bidweb**, a market leader in strategic cybersecurity solutions, is looking for talented and passionate professionals in digital security to join our team. If you want to be part of a company at the forefront of cybersecurity—providing protection and trust to customers across diverse sectors—this is your opportunity! As a **Senior GRC Security Analyst (compliance)**, you will play a critical role in protecting information and ensuring compliance with security and privacy standards and best practices, through continuous assessment of organizational maturity, risk management, support for strategic projects, and promotion of an information security culture aligned with our customers’ needs. **What we are looking for:** **Responsibilities**: Conduct information security and privacy maturity assessments based on leading industry frameworks, such as: ISO/IEC 27001:2022, Cybersecurity Framework – NIST, CIS V8, NIST Privacy Framework; Emphasis on privacy, excellence in customer service, and autonomy in executing tasks; Identify and diagnose maturity indicators, defining the organization’s maturity level according to the evaluated framework—low, medium, or high; Intermediate-level knowledge in planning, structuring, and executing information security governance, data protection and privacy, business continuity, and ISMS projects; Intermediate-level knowledge in planning, structuring, and conducting internal and external audits of information security management systems based on ISO/IEC 27001:2022 and ISO/IEC 27701; Intermediate-level knowledge in structuring a TI asset inventory; Drafting terms of use, contractual addenda, and best practices for internal and external SI and privacy agreements/contracts; Analysis of best practices for physical security architecture; Conducting SI and privacy assessments of suppliers and stakeholders; Participating in security and privacy analysis of contracts and confidentiality agreements; Structuring and creating internal process workflows based on people, processes, and technology; Handling registered incidents; Delivering introductory and intermediate-level training in information security and privacy; Proactively analyzing documentation and proposing improvements—for presentations, reports, workflows, spreadsheets, etc.; Expertise in identifying improvement opportunities within the client’s environment following GAP Analysis, leveraging our internal solutions; Structuring and drafting information security and privacy policies, standards, and procedures; Intermediate-level knowledge in defining RTO, RPO, and developing BIAs; Participating in developing the business continuity plan, operational continuity plan, disaster recovery plan, and crisis management plan; Participating in workflow design during disruptions; Participating in business continuity risk analysis and management; Intermediate-level knowledge in risk analysis—identifying impact vs. probability, impact on Confidentiality, Integrity, and Availability, risk level, risk classification, deadline definition, risk owners, alignment of GAPs with ISO/IEC 27001:2022 controls, and treatment structuring; Expertise in identifying organizational processes handling personal data and structuring the Record of Processing Activities (ROPA); Expertise in jointly defining, with the client, objectives, structure, and planning for information security and privacy; Security and privacy analysis of contracts and confidentiality agreements; Creating and updating internal confidentiality agreements; Creating internal LIAs and DPIAs. **Requirement** Education: Completed Technologist or Bachelor’s degree; Postgraduate studies or MBA in progress **Desirable** **Academic background:** Computer networks, information systems, information security, with specialization in IT governance/management, information security, digital law, or related fields. **Experience:** 3–4 years of proven experience in GRC, Compliance, and Audits, with capability in risk analysis and understanding of various SI management frameworks. **Soft Skills:** Curious, dynamic, flexible, attentive, collaborative, results-oriented, organized, resilient, able to discern and respond effectively under pressure, strong written and verbal communication skills, excellent internal coordination ability, eager and willing to share knowledge. **Hard Skills:** Technical certification aligned with BID’s certification roadmap; Proficiency in IT tools (Office 365, Teams); Proficiency in communication to lead/facilitate client meetings; Proficiency in computer network architecture and security; Solid knowledge of Law No. 13.709/18 – General Data Protection Law (LGPD); Technical English for reading documentation; Certification in Introduction to Information Security (ISFS – ISO 27001 Foundation); Knowledge of designing business processes and executing standard operating procedures; Solid knowledge of information security frameworks (ISO/IEC 27001 and 27701, NIST Cyber Framework, OWASP, PCI, ISO 22301, ISO 31000, MITRE ATT&CK); Knowledge of cloud computing; Knowledge of virtual environments; ISO 31000 course.