The Manager of Risk & Compliance is a key member of Domos Compliance team responsible for evaluating & supporting compliance initiatives covering information security, policy, risk management, data classification, vendor management, privacy, audit, & awareness. This position assists other members of the Compliance team with designing, developing & implementing information security policies & documentation, assessing compliance with existing policies, & overall compliance with security related requirements from customers. In addition, this position assists with performing security assessments & monitoring & tracking compliancestatus; developing & improving processes, procedures, standards & guidance; providing guidance on security control implementation; & definingand implementing process improvement & maturity initiatives. The position will also be responsible for assisting in developing policies & procedures & evaluating risks & controls to support the companys Federal Information Security Management Act (FISMA) Security Accreditation (FedRAMP), ISO 27001, ISO 27018, SSAE 18, HITRUST, & other regulatory & compliance initiatives. Success in this role requires a good understanding of information security best practices, strong security knowledge, ability to understand & communicate risk & controls, organization, planning, good communication & writing skills.
- Work with internal stakeholder engineering teams to manage & document the implementation of security compliance control implementations for technical, management, & operational requirements.
- Manage the compliance program to collect & document technical architecture, operational processes & security policies from multiple internal engineering teams.
- Lead the gap analysis of current policies, procedures & practices as they relate to established guidelines outlined by NIST, FISMA, HIPAA, & other regulatory standards.
- Lead & perform risk assessments of technology infrastructure & operational processes & controls for assigned areas.
- Develop, build & maintain the controls matrix, in alignment with multiple compliance frameworks, including SOC 1 & SOC 2, ISO 27001, ISO 27018, FedRAMP, HITRUST, & HIPAA.
- Lead the development & maintenance of security documentation such as the System Security Plan, Privacy Impact Assessment, Configuration Management Plan, Contingency Plan, Contingency Plan Test Report, POA&M, annual FISMA assessment, & incident reports.
- Lead establishing rules for risk analyses & security assessments which includes addressing controls defined by FIPS 199, NIST SP800-37, NIST SP800-53, NIST SP800-171 for both business operations & technical implementations throughout the company.
- Manage information security training & awareness programs.
- Manage & lead vendor management assessments & interface with vendors on occasion.
- Manage & track efforts related to threat & vulnerability assessment processes to monitor & remediate vulnerabilities in a timely manner.
- Bachelor's degree in Computer Science, Information Technology or related field.
- Minimum of 5 years experience in security risk management, compliance, audit, & information security.
- CISSP, CISM, CISA, CCSA or equivalent certification required.
- Familiarity with enterprise-level compliance tools such as ServiceNow, Archer, IBM GRC or other industry equivalent software.
- Knowledge & experience in FedRAMP, NIST SP 800-53 Rev 4, NIST SP 800-37, FISMA, NIST RMF, NIST FIPS 199, ISO 27001, ISO 27018, SSAE 18, HIPAA & HITRUST.
- Experience in cloud based environments for production applications, including Amazon Web Services, Microsoft Azure, GCP or other large scale cloud deployment.
- Experience in the vulnerability assessment lifecycle from the point of identification to remediation.
- Understanding of risks & controls as they pertain to firewalls, IDS/IPS systems, malware controls, URL filtering tools, anti-spam systems, BYOD controls, DLP, VPN, web application firewalls, endpoint security controls, OS hardening, multi-factor authentication, encryption key management, mobile device management, wireless security, full disk encryption, database security controls, & network segmentation.
- Understanding of OS concepts & security concerns in Linux, MacOS X, & Windows systems.
- Interpersonal skills to work as a team member & as a liaison.
- Excellent verbal communication, presentation, organizational & planning skills.