The IT Compliance Manager's role is to assess and oversee all technology-related controls across the organization including change management, regulatory, data privacy, user access, segregation of duties, and data integrity, as well as, ensuring compliance to security policies, guidelines, procedures, and other elements necessary to maintain security posture.
The IT Compliance Manager works directly with Legal, Information Security, Finance, External Auditors, Human Resources and Corporate Compliance to ensure organizational alignment. Accountable for compliance management, assessment and remediation, as well as, verifying policies and procedures are maintained and adhered to in order to ensure satisfactory completion of internal and third-party audits for SOX 404, HIPAA, PCI-DSS, GDPR annually.
The IT compliance team provides unbiassed risk assessments of compliance within IT for all applicable regulations governing the organization's information technology and security systems. This includes evaluating compliance, examining vendor contracts for terms of service, understanding third-party risk and data privacy issues. The manager also serves as the expert on all applicable regulatory compliance issues. Prior experience in an international enterprise environment is essential.
- Bachelor's degree is required. Candidates must possess significant analytical skills, which evolved from early academic training in Cybersecurity, Information Systems, Computer Science, or similar discipline.
- Minimum 3 years of IT Compliance, Information Security and Audit experience. Business experience in Information Security.
- Proficiency in implementing and auditing security measures, security response, and incident management.
- Proficiency in performing risk, business impact analysis, control and vulnerability assessments, and in defining remediation strategies.
- Knowledge and experience with Microsoft Office and Visio.
- Familiarity with the NIST, SOX, GDPR, ITIL, COBIT, ISO 27000 and PCI-DSS cyber security frameworks, their subsequent components and compliance requirements.
- Ability to maintain an up-to-date knowledge of the IT compliance and regulatory industry including awareness of emerging or updated global data privacy laws.
- Ability to function as a subject matter expert to other IT/business groups on compliance related matters.
- Working knowledge of IT security controls for servers, databases, PCs, laptops, and tablets. General understanding of various computer-operating environments, including MS-Windows, Linux, Cisco, MAC and tablets.
- Working knowledge of IT processes, such as change management, general computer operations, user access control and project governance.
- Develop and manage effective goal oriented and motivated team. Includes providing and receiving constructive feedback, prioritizing workload, maintaining appropriate technical skills within the team, defining goals and objectives, and performing annual performance appraisals.
- Manages IT compliance projects to ensure that the delivery is on-time, within budget and adopted to meet requirements.
- Participate in vendor contract reviews for cybersecurity performance, assess vendor access to data, perform due diligence to determine vendor or cloud provider resiliency against threats, and incident response.
- Develop security, risk and compliance reports and alerts.
- Develop policies and procedures to support information security, risk and security compliance activities, including defining KPl's and measuring performance to ensure effective controls.
- Facilitate the creation and upkeep of all technology compliance policies.
- Develop and support the IT security/ risk training curriculum while continually learning and promoting the awareness of applicable standards, risks and best practices to ensure compliance to security policies across the organization.
- Create an IT compliance training and awareness program that periodically educates the user community on the relevant IT compliance requirements and certifies their adherence to the relevant IT compliance controls. (To be done in conjunction with yearly security awareness training)
- Determine and maintain an inventory of all applicable regulatory, commercial and organizational technology compliance requirements.
- Work with IT leaders to develop team specific strategic roadmaps and annual budget. Monitor spending to ensure budget compliance and delivery of roadmap initiatives.
- Work with IT leaders to develop change management policy and procedure, monitors compliance and chairs Change Advisory Board meetings.
- Provide advice and insight on IT compliance requirements to business leaders.
- Assist business and IT managers with the acquisition of tools and applications to assist with IT compliance-related projects, audits and initiatives.
- Determine requirements and evaluate tools and applications to assist with IT compliance-related projects, audits, and initiatives.
- Develop and review IT compliance control monitoring programs to ensure IT compliance-related risks are managed to the acceptable level of corporate risk.
- Create and maintain an IT compliance risk assessment scorecard and periodically assess the regulatory, commercial, governmental and organizational IT compliance risks.
- Identify the associated IT compliance control gaps for submission to GRC Team for approval and oversee the documentation, implementation, testing and remediation of the entire IT compliance control portfolio.
- Validates internal security assessments, penetration tests, vulnerability scans, assess security organization maturity, HIPAA, PCI, etc., using and complying with frameworks and regulations such as COBIT, NIST (800-53, cybersecurity), ISO, ITIL, PCI, GLBA, GDPR,HIPAA, and other data privacy and security standards and regulations.
- Manages the annual IT SOX, PCI-DSS, HIPAA internal/external audits and remediation planning in coordination with cross-functional teams and entities within the organization.
- Coordinate audit-related tasks such as ensuring the readiness of IT managers and their organizations for audit testing and facilitating the timely resolution of any audit findings.
- Ensure GDPR compliance including working with the business to complete Record of Processing Activities (“ROPA”) and Data Protection Impact Assessment (“DPIA”) for all applications.