IT Risk & Cybersecurity GRCPosition: GRC Specialist / Senior Analyst – Governance, Risk & ComplianceExperience: ~6 Years Industry: Insurance (Life/General/Health)/BFSI Role OverviewWe are seeking an experienced IT Risk & Cybersecurity GRC professional (6+ years) to oversee our governance, internal audit readiness, regulatory compliance posture and user access review framework within a regulated insurance environment.The role will play a critical part in managing internal audits, IRDAI/CERT-IN compliance, user access governance, third-party risk, control testing and executive risk reporting.The ideal candidate must have hands-on experience as both:An auditee for regulatory and internal auditsA control assessor / reviewer conducting independent internal reviewsKey ResponsibilitiesRisk & Control GovernanceStrong understanding of IT Risk Management lifecycle (Integrated Risk Management, Risk and Control Self-Assessment, Information Risk Assessment, Business Impact Assessment)Perform risk assessments and control testing across IT and cybersecurity domainsIdentify control gaps and design new controls aligned with evolving threat landscapeTrack and ensure timely closure of audit observations and risk issuesMaintain risk registers and document risk acceptance where applicableCoordinate security incident reporting, root cause analysis and remediation tracking.Internal & Regulatory Audit ManagementAct as primary auditee for:IRDAI Cyber Security AuditsCERT-IN complianceInternal audits (including Big 4)Financial & ITGC auditsCoordinate evidence submission and stakeholder responsesConduct internal mock audits to assess control effectivenessEnsure 100% closure of audit issues within agreed timelinesTrack remediation and report to senior leadershipUser Access GovernanceDeep understanding of:Privileged Access ReviewsNormal User Access ReviewsRole-based access control (RBAC)Segregation of Duties (SoD)Joiner-Mover-Leaver (JML) processConduct periodic UAR across applications and infrastructureValidate access appropriateness and least privilege principlesCoordinate with business owners and application teams for certificationsReview PAM controls and session monitoringPublish interim and final access review reportsThird Party Risk ManagementConduct third-party risk assessments during onboarding in accordance to the organization’s risk tolerancePerform annual continuous risk reassessmentEvaluate vendor BCP/DR capabilitiesEnsure contractual security clauses are aligned with regulatory expectationsTrack vendor remediation actionsKPI / KRI / KCI ManagementDefine and track security KPIs, KRIs and KCIsDevelop risk dashboards for senior management and governance forumsPresent risk posture updates to leadershipRegulatory Compliance (Insurance Sector)Interpret and implement circulars from:IRDAICERT-INOther applicable regulatorsTranslate regulatory expectations into actionable control implementationsConduct gap assessments against regulatory mandates especially the DPDP actDrive remediation programsPolicy & Framework ManagementReview and update ISMS and BCMS policies and proceduresAlign with ISO 27001, internal group standards and regulatory requirementsDrive policy modernization initiativesCoordinate with cross-functional teams to ensure policy adoption and compliance.Business Continuity & DRSupport Business Continuity Planning (BCP) and Disaster Recovery (DR) compliance requirements.Participate in DR drills and ensure documentation readiness.Creating and analyzing weighted, risk-based matrix to categorize applications based on their business and information security criticality. GRC Platforms & ReportingHands-on experience with GRC tools such as:IBM OpenPages (preferred)Archer / MetricStream / equivalentMaintain risk registers and issue trackersGenerate dashboards and executive reportsSecurity Awareness & TrainingDesign and rollout training programs in accordance to the evolving threat landscapeSupport awareness initiatives to uplift control maturityMandatory Skills & Experience6+ years in IT Risk / Cybersecurity GRC (BFSI/Insurance preferred)Strong audit handling experience (IRDAI exposure highly preferred)Demonstrated experience in User Access Reviews (non-negotiable)Experience with PAM, access governance and audit evidence validationGood understanding of IT infrastructure, cybersecurity concepts and vendor risk processes.Strong communication, documentation & reporting skillsExposure to senior governance forumsAbility to independently drive remediationAnalytical thinking and problem-solving.Attention to detail and ability to handle multiple compliance workstreams.Preferred QualificationsBachelor’s degree in IT, Computer Science, Engineering, or related field.ISO 27001 Lead Implementer / AuditorCISA / CRISC / CISSP (added advantage)Experience in regulated insurance environmentWhat We Are Looking ForA hands-on, detail-oriented, audit-mature GRC professional who:Can independently manage regulatory interactionsUnderstands risk deeply (not checklist-based)Has strong user access governance expertiseCan present confidently to senior leadershipCan drive closure without supervision
Job Title
GRC Specialist