Senior Compliance Analyst – Continuous Compliance Framework (Hybrid - Seattle)

About The Position

Requirements

• 4–6 years of regulatory compliance experience with demonstrated ownership of cross-functional compliance initiatives.
• Direct experience building and managing Continuous Compliance Framework (CCF) or Common Control Framework programs.
• Hands-on experience configuring compliance programs within GRC tools and platforms.
• Experience working with stakeholders to define control language, RACI, and testing cadence.
• Demonstrated experience developing KPIs and KRIs for compliance programs.
• Familiarity with PCI DSS sufficient to support assessments and control testing activities.
• Experience partnering with engineering or security teams to implement automated or AI-assisted control testing.
• Proven ability to align compliance operations with strategic business objectives.
• Bachelor’s or Master’s degree in Information Technology, Computer Science, Cybersecurity, or related field, or equivalent work experience.
• Deep knowledge about multiple regulatory frameworks (CIS, NIST, SOX, HIPAA, CCPA, PCI DSS v4.x) and their control implications.
• Experience testing technical controls and documenting evidence to support audits.
• Understanding of enterprise compliance architecture and integrated control frameworks.
• Familiarity with GRC tool configuration and workflow design.
• Knowledge of AI/automation tools applicable to compliance testing and evidence collection.
• Strong control framework design and documentation capabilities.
• Excellent stakeholder engagement and facilitation skills; able to drive consensus across technical and non-technical audiences.
• Ability to develop and communicate KPIs/KRIs and compliance metrics to leadership.
• Strong written and verbal communication skills, including experience presenting to senior leadership.
• Self-directed and results-oriented; able to operate with autonomy, manage competing priorities, and drive programs to completion.
• Collaborative mindset with the ability to work effectively across the GRC triad (risk, governance, compliance).

Nice To Haves

• Professional certifications preferred: CISA, CRISC, CIPP, CIPM, or equivalent.
• PCI ISA, QSA, or other PCI-related certifications a plus.
• Experience with GRC platform implementation and administration.
• Background in regulatory consulting or internal/external audit.
• Experience leading enterprise-wide compliance transformation initiatives.
• Proficiency in compliance automation, scripting, or security tooling.
• Familiarity with AI/ML-assisted compliance or security monitoring tools.

Responsibilities

• Lead the transformation and ongoing maturation of the CCF, including updating and tailoring controls to reflect the current organizational environment, risk profile, and regulatory landscape.
• Configure and manage the CCF program module within Nordstrom’s GRC tool, ensuring accurate representation of controls, testing schedules, evidence requirements, and ownership assignments.
• Collaborate with stakeholders across business and technology teams to define control language, testing frequency, and implementation guidance that is practical and aligned with operational realities.
• Document RACI models for all controls within the CCF, establishing clear ownership and accountability across teams.
• Design and implement KPIs and KRIs for the CCF and broader compliance program, enabling data-driven reporting on compliance health and risk exposure.
• Work closely with the Governance and Risk teams to ensure the CCF, risk management program, and governance program are integrated, with aligned control sets, shared evidence, and coordinated reporting.
• Identify opportunities to harmonize compliance controls with risk appetite and governance structures, reducing duplication and improving program efficiency.
• Participate in cross-GRC planning sessions to align timelines, control mappings, and stakeholder engagement strategies across all three programs.
• Support the development and communication of a unified GRC narrative for leadership, translating program health across risk, governance, and compliance into cohesive insights.
• Partner with Security Engineers to design AI-driven testing and automated evidence collection features within the GRC tool; the Senior Analyst provides functional requirements while Engineers lead technical builds.
• Serve as a subject matter partner to the PCI program owner to ensure CCF controls satisfy PCI DSS requirements and support the annual PCI assessment process.
• Design and implement enterprise compliance assessment methodologies that integrate multiple regulatory domains (e.g., NIST, CIS, SOX, HIPAA, CCPA).
• Develop operational standards and quality criteria for compliance processes, ensuring consistency and effectiveness across the organization.
• Serve as a subject matter resource for control testing approaches, evidence collection, and documentation quality.
• Engage cross-functional stakeholders to gather input on control design, testing feasibility, and ownership, building lasting partnerships that embed compliance into the technology ecosystem.
• Lead workshops and working sessions with stakeholders to define control requirements, discuss testing approaches, and align on program direction.
• Serve as a liaison with internal and external auditors as needed, representing the organization’s compliance posture and program maturity.
• Align CCF activities with strategic business and security objectives by participating in medium-term planning (6–18 months) and ensuring compliance initiatives support organizational goals.
• Contribute to the strategic vision and roadmap for the Compliance Assessment team, developing reusable, scalable solutions that enhance program efficiency and support organizational growth.
• Coordinate cross-functional compliance initiatives to ensure comprehensive regulatory coverage and consistent execution.

Benefits

• Medical/Vision
• Dental
• Retirement
• Paid Time Away
• Life Insurance
• Disability
• Merchandise Discount
• EAP Resources
• 401k
• PTO accruals
• Holidays