Senior GRC Security Analyst

Description

Job Summary: Bidweb is seeking a Senior GRC Security Analyst to safeguard information and ensure compliance, manage risks, and foster an information security culture aligned with client needs. Key Highlights: 1. At the forefront of cybersecurity, providing protection and trust 2. Playing a pivotal role in information protection and compliance 3. Promoting an information security culture **Bidweb**, a market leader in strategic cybersecurity solutions, is looking for talented and passionate professionals dedicated to digital security to join our team. If you wish to be part of a company at the forefront of cybersecurity—delivering protection and trust to clients across diverse sectors—this is your opportunity! As a **Senior GRC Security Analyst (Compliance)**, you will play a pivotal role in protecting information and ensuring compliance with security and privacy standards and best practices, through continuous assessment of organizational maturity, risk management, support for strategic initiatives, and promotion of an information security culture aligned with our clients’ needs. **What we are looking for:** **Responsibilities**: Conduct information security and privacy maturity assessments based on widely recognized industry frameworks, such as: ISO/IEC 27001:2022, Cybersecurity Framework – NIST, CIS V8, NIST Privacy Framework; Emphasis on privacy, excellence in customer service, and autonomy in executing tasks; Identify and diagnose maturity-level indicators, defining the organization’s maturity level according to the assessed framework—establishing low, medium, or high maturity levels; Intermediate-level knowledge in planning, structuring, and executing information security governance, data protection and privacy, business continuity, and ISMS projects; Intermediate-level knowledge in planning, structuring, and conducting internal and external audits of information security management systems based on ISO/IEC 27001:2022 and ISO/IEC 27701; Intermediate-level knowledge in building an IT asset inventory; Drafting terms of use, contractual addenda, and best practices for internal and external SI and privacy agreements/contracts; Analyzing best practices for physical security architecture; Conducting SI and privacy assessments of suppliers and stakeholders; Participating in security and privacy analysis of confidentiality agreements and contracts; Structuring and creating internal process workflows based on people, processes, and technology; Handling registered incidents; Delivering introductory and intermediate-level information security and privacy training; Proactively analyzing documentation and proposing improvements—e.g., presentations, reports, workflows, spreadsheets, etc.; Expertise in identifying improvement opportunities within the client environment following GAP Analysis, leveraging our internal solutions; Structuring and drafting information security and privacy policies, standards, and procedures; Intermediate-level knowledge in defining RTO, RPO, and developing BIAs; Participating in developing business continuity plans, operational continuity plans, disaster recovery plans, and crisis management plans; Participating in workflow design during disruptions; Participating in business continuity risk analysis and management; Intermediate-level knowledge in risk analysis—including impact vs. probability, impact on Confidentiality, Integrity, and Availability, risk level, risk classification, deadline definition, ownership assignment, alignment of identified gaps with ISO/IEC 27001:2022 controls, and treatment planning; Expertise in identifying organizational processes handling personal data and structuring the Record of Processing Activities (RoPA); Expertise in jointly defining, with the client, objectives, structure, and planning for information security and privacy; Analyzing security and privacy aspects of confidentiality agreements and contracts; Creating and updating internal confidentiality agreements; Creating internal LIAs and DPIAs. **Requirements** Education: Completed Technologist or Bachelor’s degree; Postgraduate studies or MBA in progress **Desirable** **Education**: Computer networks, information systems, information security, with specialization in IT governance/management, information security, digital law, or related fields. **Experience**: 3–4 years of proven experience in GRC, Compliance, and Audits, with capability in risk analysis and understanding of various SI management frameworks. **Soft Skills**: Curious, dynamic, flexible, attentive, collaborative, results-oriented, organized, resilient, able to discern and respond effectively under pressure, strong written and verbal communication skills, excellent internal coordination ability, eager and willing to share knowledge. **Hard Skills**: Technical certification aligned with BID’s certification roadmap; Proficiency in IT tools (Office 365, Teams); Proficiency in communication for leading/conducting client meetings; Proficiency in computer network architecture and security; Solid knowledge of Law No. 13\.709/18 – General Data Protection Law (LGPD); Technical English for reading documentation; Certification in Introduction to Information Security (ISFS – ISO 27001 Foundation); Knowledge of designing business processes and executing standard operating procedures; Solid knowledge of information security frameworks (ISO/IEC 27001 and 27701, NIST Cyber Framework, OWASP, PCI, ISO 22301, ISO 31000, MITRE ATT&CK); Knowledge of cloud computing; Knowledge of virtual environments; ISO 31000\. course.