IT Compliance Manager - Toronto, Ontario
Tilray is a federally licensed producer of medical cannabis. We are committed to setting the gold standard of care and excellence in our industry. We believe that commitment starts with a great work environment and benefits for our associates.
Looking to develop your career at the forefront of a rapidly expanding industry?
The IT Compliance Manager's role is to assess and oversee implementation of all technology-related compliance initiatives across the organization including SOX, GMP, business continuity, identity management, user access and data integrity. This includes providing objective risk assessments of the company's compliance with regulatory, organizational and commercial requirements governing the organization's information technology systems.
The IT compliance manager will also develop and implement policies, procedures and controls to ensure that the organization's practices remain observant to all pertinent local, state/province/county and federal laws and industry standards. In this role, the IT compliance manager will work directly with non-IT compliance professionals such as Information Security, Legal and Internal Audit to ensure organizational alignment.
TASKS AND RESPONSIBILITIES
- Determine and maintain an inventory of all regulatory, commercial and organizational technology compliance requirements.
- Facilitate the creation,modification, and subsequent enforcement of all technology compliance policies.
- Create an IT compliance risk assessment framework and periodically assess the regulatory, commercial and organizational, inherent and residual IT compliance risks.
- Identify the associated IT compliance control gaps and facilitate the documentation, implementation and testing of the entire IT compliance control portfolio.
- Develop and direct IT compliance control monitoring programs to ensure IT compliance-related risks are managed to the appropriate level of acceptable residual risk.
- Implement and maintain an IT compliance issue management tracking and resolution process that will address known issues, according to severity and potential impact to the organization.
- Report the levels of IT compliance risk and control effectiveness to key stakeholders such as IT-business unit management, senior management, board of directors, legal management, regulators, internal/external auditors, etc.
- Coordinate audit-related tasks such as ensuring the readiness of IT managers and their organizations for audit testing and facilitating the timely resolution of any audit findings
- Provide input to the overall IT compliance-related budget/financial spend in accordance with the desired IT compliance risk appetite of the organization
- Provide technological advice and insight on compliance requirements to non-IT leaders such as the general counsel, chief compliance officer (CCO), chief risk officer (CRO), etc
- Assist business and IT managers with the acquisition of tools and expertise to assist with IT compliance-related projects and initiatives
- Create an IT compliance training and awareness program that periodically educates the requisite end-user community on the relevant IT compliance requirements, and certifies their adherence to the relevant IT compliance controls
Regulatory Compliance Activities
- Work with corporate legal and compliance representatives to identify all related IT compliance requirements (i.e., security, user access, privacy, data integrity, etc.) associated with the laws and regulations within all relevant jurisdictions
- Ensure all related IT compliance policies are updated, based on any relevant regulatory changes or new laws. Consult with the Director of Information Security on InfoSec-specific policies
- Create a regulatory change management process that identifies and coordinates the modification of related technological functions, business processes and/or compliance controls
- Conduct necessary IT compliance control monitoring and testing activities to determine the effectiveness of the controls
- Coordinate with IT functional teams to remediate IT compliance control deficiencies
- Coordinate the investigation of any potential unlawful or fraudulent action related to IT compliance, such as the intentional release of privileged information or a related security breach
Commercial Compliance Activities
- Work with IT Procurement and Information Security to identify all IT compliance commercial requirements and industry standards related to the supply as well as the delivery of technical goods and services
- Communicate IT compliance standards and requirements to relevant suppliers through various means, such as requests for proposal, contractual terms, etc.
- Perform necessary due diligence activities to determine third-party adherence with IT compliance requirements prior to establishing a business relationship.
- Collaborate with Information Security and Internal Audit to develop and implement a Vendor Risk Assessment program
- Monitor third-party adherence to IT compliance requirements and address any and all instances of noncompliance
- Request proof of required industry standard certification or report (e.g., ISO 27001, Service Organization Control Reports, PCI DSS, etc.)
Organizational Compliance Activities
- Work with IT and business representatives to identify the goals and objectives of the organization and translate them into IT compliance requirements such as IT security and user access policies and controls
- 4+ years of experience in IT Compliance (SOX, FDA and/or InfoSec)
- Min 2 years of SOX and ITCG Control experience and/or exposure
- Information Security experience or Certification
- Experience working in Cannabis, CPG, Pharma or Medical industry
- GMP experience is an asset
- Financial knowledge is an asset
Tilray welcomes applications from all qualified individuals and is committed to employment equity and diversity in the workplace.
Accommodations are available for applicants with disabilities throughout the recruitment process. If you require accommodations for interviews or other meetings, please advise when submitting your application.
Please note that Tilray does not authorize, engage, or sponsor any consultants, agencies or organizations that seek certain personal or financial information from you (e.g. passwords, login ids, credit card information). Tilray does not charge any application, processing or onboarding fee at any stage of the recruitment or hiring process.
When replying to emails, please ensure the sender name and email address match exactly. Please also ensure the Reply-To address matches the sending address exactly.
If you are concerned about the authenticity of an email, letter, or call purportedly from, for, or on behalf of Tilray, please send an email inquiry to email@example.com