Senior GRC Analyst

Job Description: Senior GRC Analyst

Location: Mumbai, India

Department: Information Security, Risk & Compliance

Reports To: CISO

?

About Si Creva Capital Services

Si Creva Capital Services Pvt. Ltd. is a leading NBFC engaged in digital lending, supported by OnEMI Technology Solutions as its Lending Service Provider. With a strong focus on compliance, operational resilience, and customer trust, we are ISO 27001 and SOC 2 compliant and adhere to RBIs Master Directions on IT Outsourcing, Digital Lending, and other regulatory frameworks.

?

Role Overview

The Senior GRC Analyst will play a key role in strengthening the Governance, Risk, and Compliance (GRC) function at Si Creva. The individual will oversee compliance with regulatory frameworks (RBI Digital Lending Directions, IT Outsourcing Directions, DPDP Act, ISO 27001, SOC 2), conduct risk assessments, manage audits, and enhance our security and compliance posture.

This role requires strong analytical skills, regulatory knowledge, and the ability to coordinate with multiple stakeholders (tech, business, legal, and third-party vendors) to ensure a robust risk management framework.

?

Key Responsibilities

Governance & Compliance

Ensure compliance with RBI Master Directions on IT Outsourcing, Digital Lending, and Cybersecurity for NBFCs.

Maintain and update internal policies (Information Security, Data Privacy, BCP-DR, Access Control, Asset Management, etc.) aligned with ISO 27001 & SOC 2.

Support implementation and compliance with the Digital Personal Data Protection (DPDP) Act, 2023.

Conduct periodic compliance reviews of internal processes and third-party vendors.

Risk Management

Perform Risk Assessments, Risk Treatment Plans, and Risk Registers across information assets, applications, and third-party relationships.

Map risks to Confidentiality, Integrity, and Availability (CIA) and criticality of assets.

Monitor and report on Key Risk Indicators (KRIs) and prepare dashboards for management review.

Support enterprise-wide IT and Operational Risk Management Frameworks.

Audit & Assurance

Coordinate and manage internal and external audits (ITGC, VAPT, SOC 2, ISO 27001 surveillance, statutory audits).

Prepare and maintain evidence for AWS Artifact, vendor attestations, bridging letters, and regulatory inspections.

Draft and track management responses to audit observations.

Drive closure of non-compliance findings and report status to senior management.

Third-Party Risk Management

Conduct vendor due diligence and periodic security assessments of LSPs, DLAs, and technology partners.

Ensure outsourcing agreements contain information security and data privacy clauses as mandated by RBI.

Track and monitor vendor compliance (penetration test reports, data localization attestations, certifications).

Business Continuity & Incident Management

Support BCP/DR drills (AWS Mumbai as Primary, Hyderabad as DR site, RPO 0, RTO 60 min).

Participate in Incident Response handling, root cause analysis, and regulatory reporting.

Maintain playbooks for Crisis Management, Data Breach Notifications, and CERT-In coordination.

?

Qualifications & Skills

Education & Certifications

Bachelors degree in Information Security, Computer Science, or related field.

Preferred certifications: ISO 27001 LA, CISA, CISM, CISSP, CCSK, or RBI Cybersecurity Framework knowledge.

Experience

36 years of experience in Information Security / GRC / Risk / Compliance within BFSI, NBFC, or Fintech sector.

Strong understanding of regulatory frameworks (RBI, DPDP Act, IT Act, SPDI Rules, PCI-DSS optional).

Hands-on experience in ISO 27001, SOC 2 audits, vendor risk management, and ITGC reviews.

Core Competencies

Strong knowledge of AWS security controls (IAM, encryption, CloudWatch, GuardDuty, Macie).

Excellent skills in audit management, risk assessments, and policy documentation.

Strong interpersonal and communication skills for working with auditors, regulators, and internal teams.

Analytical thinker with ability to interpret regulations into actionable controls.

?

What We Offer

Exposure to a dynamic and fast-growing digital lending ecosystem.

Opportunities to work on growing compliance and data protection frameworks.

Collaborative work environment with focus on professional growth and certifications.