Senior GRC Security Analyst

Description

Job Summary: Bidweb is seeking a Senior GRC Security Analyst (compliance) to protect information, ensure regulatory compliance, and foster a digital security culture, operating at the forefront of cybersecurity. Key Highlights: 1. Join a team at the forefront of cybersecurity 2. Play a key role in information protection and compliance 3. Promote an information security culture **Bidweb**, a market leader in strategic cybersecurity solutions, is looking for talented and passionate professionals in digital security to join our team. If you want to be part of a company at the forefront of cybersecurity—providing protection and trust to clients across diverse sectors—this is your opportunity! As a **Senior GRC Security Analyst (compliance)**, you will play a critical role in protecting information and ensuring compliance with security and privacy standards and best practices, through continuous assessment of organizational maturity, risk management, support for strategic projects, and promotion of an information security culture aligned with our clients’ needs. **What we are looking for:** **Responsibilities**: Conduct information security and privacy maturity assessments based on widely recognized industry frameworks, such as: ISO/IEC 27001:2022, Cybersecurity Framework – NIST, CIS V8, NIST Privacy Framework; Emphasis on privacy, excellence in customer service, and autonomy in executing tasks; Identify and diagnose maturity indicators, defining the organization’s maturity level based on the assessed framework—establishing low, medium, or high maturity levels; Intermediate-level knowledge of planning, structuring, and leading Information Security Governance, Data Protection and Privacy, Business Continuity, and ISMS projects; Intermediate-level knowledge of planning, structuring, and conducting internal and external audits of Information Security Management Systems based on ISO/IEC 27001:2022 and ISO/IEC 27701; Intermediate-level knowledge of building an IT asset inventory; Drafting terms of use, contractual addenda, and best practices for internal and external SI and Privacy agreements/contracts; Analyzing best practices for physical security architecture; Conducting SI and Privacy assessments of suppliers and stakeholders; Participating in security and privacy analysis of contracts and confidentiality agreements; Structuring and creating internal process workflows, grounded in people, processes, and technology; Handling registered incidents; Delivering introductory and intermediate-level training in information security and privacy; Proactively analyzing documentation and proposing improvements—for presentations, reports, workflows, spreadsheets, etc.; Expertise in identifying improvement opportunities within client environments following GAP Analysis, leveraging our internal solutions; Developing and drafting information security and privacy policies, standards, and procedures; Intermediate-level knowledge of defining RTO, RPO, and developing Business Impact Analyses (BIAs); Participating in developing Business Continuity Plans, Operational Continuity Plans, Disaster Recovery Plans, and Crisis Management Plans; Participating in workflow design during disruptions; Participating in Business Continuity risk analysis and management; Intermediate-level knowledge of risk analysis—including impact vs. probability, impact on Confidentiality, Integrity, and Availability, risk level, risk classification, deadline definition, ownership assignment, alignment of GAPs with ISO/IEC 27001:2022 controls, and treatment planning; Expertise in identifying organizational processes that handle personal data and structuring the Record of Processing Activities (ROPA); Expertise in jointly defining, with clients, objectives, structure, and planning for information security and privacy; Analyzing security and privacy aspects of contracts and confidentiality agreements; Creating and updating internal confidentiality agreements; Drafting internal Legitimate Interest Assessments (LIAs) and Data Protection Impact Assessments (DPIAs). **Requirements** Education: Completed Technologist or Bachelor’s degree; Postgraduate studies or MBA in progress **Desirable** **Academic background:** Computer Networks, Information Systems, Information Security, with specialization in IT Governance/Management, Information Security, Digital Law, or related fields. **Experience:** 3–4 years of proven experience in GRC, Compliance, and Auditing, with capability to perform risk analyses and understand various Information Security Management frameworks. **Soft Skills:** Curious, dynamic, flexible, attentive, collaborative, results-oriented, organized, resilient, able to discern and respond effectively under pressure, strong written and verbal communication skills, excellent internal coordination ability, eager and willing to share knowledge. **Hard Skills:** Technical certification aligned with BID’s certification roadmap; Proficiency in IT tools (Office 365, Teams); Proficiency in communication to lead/facilitate client meetings; Proficiency in computer network architecture and security; Solid knowledge of Law No. 13,709/18 – General Data Protection Law (LGPD); Technical English for reading documentation; Certification in Introduction to Information Security (ISFS – ISO 27001 Foundation); Knowledge of business process design and execution of standard operating procedures; In-depth knowledge of information security frameworks (ISO/IEC 27001 and 27701, NIST Cyber Framework, OWASP, PCI, ISO 22301, ISO 31000, MITRE ATT&CK); Knowledge of Cloud computing; Knowledge of virtualized environments; ISO 31000 course.