Reference # 19-00038 Title Technical Risk and Compliance Analyst
Location Glendale, ARIZONA
Position Type Contract
Experience Level Contract
Start Date / End Date 14-01-2019 --- 30-11--0001
Description
We have a new career opportunity as a PCI Compliance Lead. The position will lead the PCI compliance efforts and will be involved in getting information and evidence documents needed from all divisions of this enterprise. The position will also create, prepare, direct and perform PCI DSS focused training and lead the overall development and implementation of the PCI compliance program focused around testing of security controls and processes that align with ISO and NIST. Additionally the position will advocate compliance with our policies and procedures and other governing standards or requirements as well as partner with peers on the Risk and Compliance team to promote ethical behavior, facilitate ethical decision-making, and lead the ongoing compliance management activities and functions that support the compliance program.

"Works as part of the Security Strategy, Risk and Compliance Team
"Utilize skills and knowledge of GRC concepts, processes, frameworks and technologies to
assist IT GRC team in managing GRC program
"Provide advisory services in risk assessments, analysis, acceptance and threat modeling a necessary to meet business and IT demands
"Integrate GRC practices into existing IT entities and their policies and procedures to ensure compliance and reduce risk factors
"Identify security issues and risks, and assist the risk owner in developing mitigation plans
"Lead the PCI compliance efforts. Looking for someone who has previous experience in meeting PCI Compliance requirements.
"This person would be involved with getting information and documents needed from all the divisions within the enterprise to present to the QSA as evidence of compliance
"Great communication skills are required - individual will be working closely with all levels of IT and Business managers as well as briefing company executives and interfacing directly with our Qualified Security Assessor (QSA)

"Analytical skills are necessary to evaluate submitted documents for completeness as well as the appropriateness of meeting the requirements being presented.
"Has a good understanding of testing within the security space
"Create, prepare, direct and/or perform PCI DSS focused training
"Strong understanding of PCI DSS, payment processes and related systems is a must
"knowledge of PCI processes and requirements and how to run PCI certification efforts
"Drive the development of compliance controls and procedures. This may include policies, procedures, standards, job aids, or other activities.
"Drive detailed documentation related to compliance procedures and controls (including the development of process maps)
"Document and recommend compliance controls
"Assists with projects/initiatives requiring risk and compliance review and approval
"Assists with design and execution of risk assessments
"Drive compliance planning and on-going maintenance, including program documentation updates and revisions Develop and conduct risk assessments for specific business units/sub-processes.
"Oversee the the development of compliance program
"Perform on-going maintenance of compliance program, assists with business impact analysis
"Schedule and assist in coordinating annual compliance exercises
"Help determine and develop compliance reporting
"Perform trend analysis and other compliance analysis to assist with the effectiveness of the compliance program. Make recommendations to the Compliance Leadership regarding improvement opportunities.
"Perform trend and compliance analysis
"Identify trend/gap focus areas and make appropriate recommendations to enhance the compliance program
"Monitor industry and regulatory developments in partnership with legal team and make recommendations to Compliance Leadership
"Work with Compliance Manager and various business units/ departments to build relationships and strengthen the compliance program through monitoring and testing of controls
"Build and strengthen relationships with business owners
"Regulatory Compliance: Business Continuity Planning
"IT Compliance: 3rd Party Management Compliance
"Provide support to the Risk and Compliance team in the area of risk, audit support for regulatory audits (PCI-DSS, MAR, DOI, DMV, etc...) and developing internal standards, policies and procedures as required
"Complete Third Party Security and Risk assessments ensuring the company maintains a reduced risk posture, the suppliers adhere to CSAA prescribed security measures and meet mandatory regulatory minimum standards
"Provide valuable input into the IT Governance, Risk and Compliance eGRC platform development and maintenance. Understanding of regulatory requirements is critical.
"Review business processes for overall effectiveness as well as risks associated with the internal controls system
"Provide guidance to management in regards to regulation, policies, applicable law and compliance issues
"Ability to evaluate security controls for effectiveness and compliance alignment
"Provide oversight and assistance in development of internal and external security assessment remediation efforts
"Contribute to internal IT security assessments
"Assist in maintaining control, asset, risk and guideline mappings within the eGRC platform

Skills
"Knowledge of security leading practices, network analysis, systems hardening, encryption technologies, certificates, mobile and web application security, file transfer processes.
"Understanding of enterprise server security technologies, networking & security protocols authentication schemes and technologies
"Knowledge of system security vulnerabilities and remediation
"Proficient in platform internals, troubleshooting, debugging and root cause analysis
"Technical knowledge in security engineering, system and network security, authentication and security protocols, cryptography, and application security
"Technical knowledge in security and network system monitoring
"Knowledge of network and web related protocols (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols)
"Proven ability to work independently, as well as collaboratively, in day to day work, as well as work on projects, and other assignments.
"Excellent written and oral communications skills
"Good organizational, multi-tasking and time-management skills

Education
"Minimum 4 years' experience in an information security related role.
"Minimum 2 years' experience conduction security control assessments or audits
"Minimum 2 years' experience developing or managing a security awareness program
"Understand of PCI and Model Audit Rule (MAR) requirements, ISO security standards including 27001, 27002 and 27005, NIST, Department of Insurance regulations, HIPAA, and other regulatory guidelines
"Experience with IT risk assessment methodologies
"Certification(s) in industry-adopted security expertise areas such as Certified in Risk and
Information Systems Controls (CRISC), Certified Information Systems Security Professional (CISSP), GIAC Information Systems Professional (GISP), Certified Information Security Manager (CISM), or Internal Security Assessor (ISA)

Preferred Skills/Experience:
"Bachelor's degree in Computer Science, Information Systems or related technical discipline.
"Minimum 6 years' experience in an information security related role
"Minimum 4 years' experience conducting security control assessments or audits
"Minimum 4 years' experience developing or managing a security awareness program
"Experience with the application of threat modeling or other risk identification techniques
"Experience with an industry accepted GRC platform such as Archer, Keylight, MetricStream etc.
"Experience with service-oriented architecture and web services security
"Experience working within or running a compliance program