Security Engineer (Compliance)

About The Position

Requirements

• 5+ years of proven work experience as a System or Information Security Engineer, Compliance Engineer, or Risk Engineer.
• Detailed technical knowledge of compliance frameworks and their application across systems and organizations.
• Thorough understanding of the latest security principles, techniques, and protocols.
• Problem solving skills and ability to work under pressure.
• Experience with compliance frameworks (e.g., SOC 1 and 2, ISO 27001, CSA STAR, NIST CSF).
• Familiarity with web related technologies (Web applications, Web Services, Service Oriented Architectures) and network/web related protocols.
• Experience with cloud services (Microsoft 365, SharePoint Online, Microsoft Azure, and Amazon Web Services).
• Operational understanding of security systems, including firewalls, intrusion detection systems, anti-virus software, authentication systems, log management, and content.
• Candidate must be able to submit verification of his/her legal right to work in the U.S., without company sponsorship.

Nice To Haves

• Ideal candidates will have a strong risk background that includes: risk identification, adjudication, and mitigation development experience; experience working with engineering teams to document, plan, and address identified risk items; documentation and communication of identified risks to organizational leadership (up to and include the Executive Leadership Team or ELT); regular review and maintenance of residual risk items; and ownership of risks and the applicable risk lifecycle through risk identification, adjudication, mitigation/reduction, avoidance, transference, realization, and retirement.

Responsibilities

• Own, manage, and support the application of key compliance frameworks (SOC 1 and 2, ISO 27001, CSA STAR, NIST CSF, etc).
• Develop, control, and maintain applicable organizational policies, procedures, best practices, and guides associated with key compliance requirements and in support of annual audits.
• Assist in the development and implementation of an internal audit program designed to: measure the effectiveness of organizational processes and procedures; assess organizational adherence to those processes and procedures; identify opportunities for organizational and systemic process improvement; and alert the organization about emerging risks to the comprehensive compliance program.
• Support the Risk Management Program with a goal of making risk-based decisions an integrated part of the cultural landscape, including: risk identification; risk mitigation; risk monitoring; risk reporting; and documentation of risk realization and/or retirement.
• Work closely with the Security Operations (SecOps) team to ensure security functions meet operational compliance requirements and will meet/exceed independent annual audit standards.
• Ensure technical, operational, and administrative controls are fully operable and meet standards necessary for SOC 1 and 2 audits.
• Support Quarterly Access Reviews (QARs) as part of the larger User Access Request process.