IT Compliance Analyst
Reporting to the Sr. Manager IT Compliance, the IT Compliance Analyst will plan and coordinate information security compliance activities throughout the company. Focus of this position is to maintain compliance with annual ISO 27001/27002 certification, Sarbanes Oxley (SOX ITGC), PCI, EU Data Privacy safeguards and client contractual security requirements.
This is an outstanding opportunity to help refine and improve the company’s existing IT compliance program and take it to the next level. The IT Compliance Analyst supports and will receive direction from the Sr. Manager IT Compliance in managing the global IT Compliance program by serving as a liaison for external audit agencies, and by coordinating audit activities of other personnel within the broader company.
As the IT Compliance Analyst, you will be responsible for assisting with planning, communicating, and executing IT related audits and compliance activities. This includes completing detailed process reviews to assess key risk areas, refining individual controls as needed, and assessing compliance with applicable regulations. Additionally, this role will be heavily involved with coordinating GDPR compliance.
The IT Compliance Analyst may also be required to evaluate other aspects of the IT environment such as change management, system development, vendor management, incident response, business continuity, user access, and security policies.
Our compliance team is small but highly efficient. Our goal is to make IT Compliance Audits as easy as possible for our internal control owners, as well as the agencies that perform our audits. Our vision is to be prepared for any audit, at any time, on short notice.
• Participate in the planning, execution, and reporting of IT Audit and Compliance initiatives.
• Develop test plans and procedures to assess effectiveness of IT controls; make recommendations on combining, splitting, or changing controls as necessary to address external requirements
• Perform year-round IT compliance testing to assess risk, evaluate controls, and maintain compliance.
• Develop recommendations to mitigate risks and correct control deficiencies. Provide advice to business and technical personnel regarding best practices and alternative risk choices based on cost/benefit.
• Monitor and track results of audits and compliance reviews, identifying patterns to predict future issues and proactively applying corrective actions or changes in the approach to reach a better outcome.
• Communicate project status, concerns, or issues to management in a timely manner.
• Participate in special projects pertaining to IT Compliance initiatives.
• Perform other duties and responsibilities as assigned.
• May travel 5-10% per year, usually within Europe, but occasionally may make trips to the US or Asia Pacific.
Required Experience and Skills:
• Understanding and experience with IT Audits and Compliance and Information Security best practice.
• 2-3 years of hands-on experience with preparing for or conducting IT audits or compliance reviews, in medium to large corporate environments (public companies preferred), or Big-4 work experience (Deloitte, Price-Waterhouse-Coopers, Ernst & Young, or KPMG).
• Experience with implementing or assisting with the audit of one or more of the following: ISO27001/27002, PCI-DSS, SSAE-16 SOC1/SOC2, Sarbanes-Oxley (SOX), NIST 800-53, HIPAA (HITEC), COBIT or COSO.
• Experience with implementing and evaluating the organization's readiness for GDPR is preferred.
• General information technology and technical knowledge (database technologies, web services, cloud services, etc.).
• Ability to explain security and compliance requirements to a broad range of technical and non-technical employees, at all levels of the organization, using verbal, visual and text media.
• Ability to modify approach, language, and communication style to different audiences (including personnel whose native language is not English) and to different personality types and attitudes.
• Desire and ability to maintain high level of knowledge and expertise in information technology and IT Security industry through self-study, formal training, professional networking, reviewing professional articles and publications, etc.
• Preferred but not required: Bachelor's Degree in Computer Science, Information Security, or Engineering (or equivalent type of degree)
• Preferred but not required certification(s) such as: Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Security+, Systems Security Certified Practitioner (SSCP), and PCI Professional (PCIP)
ServiceSource is the global leader in recurring revenue management. The world's most successful companies rely on us to maximize subscription, maintenance and support revenue, improve customer retention and increase business predictability and insight. ServiceSource delivers results with Renew OnDemand™, the world's only cloud application built specifically to manage and grow recurring revenue, which can be combined with our industry-leading services and unique pay-for-performance model. With over a decade of experience focused exclusively in growing recurring revenue, our services and applications are based on proven best practices and global benchmarks. The Company is headquartered in San Francisco, and has over $7B under management for customers in more than 150 countries and 40 languages.