The GRC Specialist shall possess a deep understanding of the complexities involved in managing risk, ensuring compliance with local regulations and industry standards, and developing robust governance frameworks within the fast-evolving telecommunications landscape.

1. Governance:

o Develop and implement security policies: Ensure that the organization has up-to-date, effective information security policies, standards, and procedures aligned with business goals and industry standards.

o Establish security governance frameworks: Design and maintain a governance structure for information security that supports organizational objectives, risk management, and compliance initiatives.

o Report to senior leadership: Regularly report to executive leadership (e.g., CISO, CIO, Board of Directors) on security governance, risk assessments, and compliance matters, offering actionable insights as needed.

2. Risk Management:

o Conduct risk assessments: Identify, assess, and prioritize security risks to the organization’s information systems, data, and operations. This includes conducting threat assessments, vulnerability assessments, and impact analyses taking into account the threat landscape in a rapidly changing telco environment.

o Implement risk mitigation strategies: Develop and implement strategies to reduce risks to an acceptable level, using various controls (technical, administrative, physical) and monitoring.

o Continuous Risk Monitoring and Security Risk Register Maintenance: Continuously monitor the risk landscape to identify new and emerging risks while tracking and updating the Security Risk Register. Coordinate with risk owners for timely closure of identified risks and communicate their status and updates to relevant stakeholders to support informed decision-making.

o Risk Acceptance Management: Manage and maintain the full cycle of Risk Acceptance Forms by assessing and documenting risk deviations, monitoring compliance, and ensuring effective communication with the risk owner to uphold organizational risk management standards.

3. Compliance:

o Ensure regulatory compliance: Monitor and ensure that the organization complies with relevant laws, regulations, and industry standards (e.g., QCB, NIA, PCI-DSS, ISO 27001, etc.).

o Develop compliance programs: Create and manage internal compliance programs to track compliance with security regulations and internal policies.

o Prepare for audits, assessments and certification: Prepare for and manage internal and external audits, certifications, and assessments. This includes coordinating with auditors, gathering evidence, ensuring timely responses to audit findings, and facilitating the closure of those findings.

o Track compliance KPIs: Develop and track Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) to assess compliance and security effectiveness.

4. Policy and Documentation Management:

o Document security processes and procedures: Develop, implement, and maintain comprehensive documentation related to security governance, risk management, and compliance processes inline with the requirements of Ooredoo Financial Services.

o Policy updates and review: Regularly review and update security policies, procedures, and standards to ensure they remain relevant and effective.

5. Security Awareness Program:

o Develop and implement security awareness program: Develop and implement a security awareness program that will educate employees on the identification and prevention of information security threats to foster a strong security culture within the organization.

6. Identity and Access Management:

o User Access Reviews: Support Identity and Access Management (IAM) program by collaborating with cross-functional teams to conduct user access cleanups and user access reviews, ensuring compliance with security policies and adherence to access management best practices.