Responsibilities
- Create and refine governance, risk, and compliance documentation, including policies, standards, procedures, and control structures.
- Manage and support compliance efforts for SOC 2 Type II, ISO 27001, PCI DSS, and similar frameworks, including gathering evidence, validating controls, and tracking remediation.
- Work closely with security and platform teams to ensure compliance controls are operationalized in systems, not just documented.
- Coordinate with security architecture and engineering teams to evaluate whether security exceptions align with organizational risk and compliance standards.
- Monitor, evaluate, and periodically revalidate approved security exceptions to mitigate prolonged exposure to risk.
- Collaborate with procurement, legal, and application security teams to evaluate third-party vendor security postures and establish required remediation or contractual terms.
- Build efficient, repeatable processes for risk assessments, vendor evaluations, evidence collection, control testing, and reporting.
- Deliver focused training on governance, risk, and compliance topics, including risk accountability, exception management, and vendor security expectations.
- Generate and present reports on risk status, compliance posture, and third-party security for executive review.
- Convert technical security findings into clear business impact statements to support leadership decision-making.
- Conduct business impact analyses and lead business continuity and disaster recovery tabletop exercises.
