Your expertise in security, compliance, regulatory frameworks, platform management, vendor security reviews, customer interactions, cross-functional collaboration, and reporting will be instrumental in creating a strong synergy between our security and information security functions and providing valuable insights to leadership.
• Lead and manage the organization’s compliance efforts for PCI, SOC 2, FedRAMP, StateRAMP, ISO2700x and other regulatory and security frameworks.
• Collaborate closely with our third-party auditing firms, coordinating audit activities and providing the necessary evidence.
• Conduct thorough assessments to ensure alignment with regulatory requirements and industry standards.
• Drive the timely resolution of audit findings by working with relevant teams to implement effective controls and solutions.
• Oversee the implementation of the SOC2 and NIST security framework to assess and enhance the organization’s security maturity.
• Lead the development and execution of security maturity assessments using Archer, identifying gaps, vulnerabilities, and areas for improvement.
• Translate assessment results into actionable recommendations and strategic plans to enhance security posture.
GRC Compliance Management:
o Take ownership of the GRC platform
o Utilize our GRC platform to monitor and maintain ongoing compliance with regulatory requirements and industry standards.
o Leverage our GRC platform insights to drive continuous improvement in our security controls and compliance practices.
Legal and Contract Collaboration:
o Work closely with the Legal and Security team to ensure compliance with data protection regulations and contractual obligations.
o Review, negotiate, and redline contracts, including Data Protection Agreements (DPAs), with third-party vendors, partners, and customers to ensure data privacy and protection.
o Ensure that security and compliance considerations get integrated into contract negotiations and agreements.
• Lead vendor security reviews to assess the security posture of third-party vendors and partners.
• Conduct thorough evaluations of vendor security controls, policies, and practices to ensure they align with our security standards.
• Provide recommendations for risk mitigation and security improvements based on vendor security assessments.
• Handle customer questionnaires and requests related to our security attestations.
• Provide accurate and timely responses to customer inquiries, ensuring that customer concerns regarding security get addressed effectively.
• Liaise with cross-functional teams to gather necessary information and documentation for customer attestations.
• Work hand in hand with our security team to create synergy and alignment across security and compliance functions.
• Collaborate closely to develop and implement security strategies, initiatives, and risk management plans.
• Ensure consistent communication, knowledge sharing, and coordination between security and compliance efforts.
• 5+ years of experience in governance, risk management, and compliance roles, with a focus on information security and technology.
• Experience developing and implementing governance frameworks, risk assessment methodologies, and compliance programs.
• Familiarity with risk assessment techniques, including the identification, analysis, and treatment of risks.
• Demonstrated experience conducting compliance audits, assessments, and managing remediation efforts.
• Knowledge of security controls, industry best practices, and risk management frameworks.
• Strong understanding of business processes, systems, and technologies, and their associated risks.
• Experience performing Privacy Impact Assessments and Data Privacy Impact Assessments
• Excellent communication and interpersonal skills, with the ability to effectively collaborate with stakeholders at all levels of the organization.
• Strong knowledge of the following regulatory frameworks: GDPR and HIPAA
Nice to haves:
• Bachelor’s degree in computer science, Information Security, Risk Management, or a related field – or equivalent work experience.
• Strong knowledge of regulatory frameworks and standards such as ISO 27001, NIST Cybersecurity Framework, or PCI DSS.
• Professional certifications such as CISA, CRISC, CISSP, or CISM are highly desirable.