Description of Position:
This position works as part of a security team responsible for ensuring that the company's information resources are secure from unauthorized access, protected from inappropriate alteration, physically secure, and available to users in a timely fashion. This position serves as an internal information security consultant and will be the subject matter expert responsible for designing, implementing, and supporting a security control framework for a multi-tenant software-as-a-service product. Primary responsibilities include oversight of SOC 1 and SOC 2 audits and monitoring control activities in certified environments. This position demands an organized, detail-oriented team player with the ability to prioritize daily work and support multiple initiatives simultaneously; strong communication and customer focus is required.
Tasks and Responsibilities:
- Provide information security expertise and support to assist in the achievement of both corporate and cloud compliance programs.
- Provide expertise and support in customer hosted environments to ensure control activities are designed and implemented appropriately to protect the security, confidentiality, privacy, integrity and availability of data in compliance with organization policies and standards.
- Oversee a continuous monitoring program to confirm Management may assert the control environment is operating effectively.
- Implement and monitor corporate business processes, recommend improvements and assist stakeholders to achieve information security goals and objectives related to business process and IT general controls.
- Conduct risk assessments in SOC 1 and SOC 2 environments and monitor remediation activities.
- Manage relationship with external auditors, oversee coordination of audit fieldwork and review evidence provided to external auditors.
- Utilize industry experience and knowledge to provide expertise and support to ensure company’s security framework remains in compliance with applicable regulations including evolving data privacy regulations.
- As a strategic partner with internal stakeholders, consult on projects that automate business processes and drive employee efficiency to design and implement new controls to achieve compliance objectives.
- Support third party security risk assessments and IT audit, and provide tracking for findings and resolution.
- Provide expertise in support of new product development activities to ensure products/services comply with information security and privacy standards; provide consultation around the design and implementation of new Information Technology and business process controls.
- Support the development, implementation, and updating of security policies and procedures.
- Participate in calls with customers and prospective customers to discuss the Information Security programs and controls.
- Perform additional duties and projects as assigned by management.
Recommended skills, abilities, and certifications
- BS/BA degree in Information Systems, Computer Science, or IT audit related discipline or equivalent experience and a minimum of 5-7 years related work experience in information security governance and/or related functions (such as internal controls, IT audit, privacy, and risk management).
- Demonstrated experience with audit frameworks including SSAE 16/18 SOC 1, SOC2, ISO27001.
- Demonstrated experience working as an expert in information security, risk management or IT audit.
- Demonstrated experience articulating technical concepts to non-technical users.
- Excellent analytical skills in order to identify security risks and appropriate measures needed to help mitigate those risks. Must be comfortable in conducting independent research of issues and inquiries in order to provide guidance when requested.
- Excellent verbal and written communication skills to develop positive relationships and effectively communicate with employees, customers, auditors, business partners, and all levels of management.
- CISA, CISM, CRISC, CISSP, CPA or similar certification preferred.