Compliance and Risk Management Team Lead -

Compliance and Risk Management Team Lead -

Job Summary: This individual is a member of the Information Security Team reporting to the Director of Operations with responsibility for the information security operations and compliance initiatives in a fast-paced Software as a Service (SaaS) environment. The candidate will process documentation, facilitation, remediation planning, risk management, and systems implementation coordination required to meet the audit, control, and compliance requirements. The candidate will also work closely with Information Technology and Security teams to design, manage, and implement specific remediation plans addressing improvement opportunities within internal processes and procedures. Also works with executive management to determine acceptable levels of risk for the organization.
Duties and Responsibilities:
• Manage a team of 3-10 security personnel to include all day-to-day functional duties, administrative responsibilities including reporting, work assignments, resource planning, and employee coaching, oversight, and evaluations
• Shall have the primary responsibility for implementing all of the security aspects of the System.
• Responsible for the Vulnerability Management lifecycle: discovery, risk analysis, review meetings, and remediation tracking, with monthly reports.
• Specify the process and policies, then implement, and maintain the systems for Security Information and Event Management.
• Primary responsibility for assigning development tasks to team members utilizing the Company's Online Project Communicator (OPC).
• Ability to perform network traffic forensic analysis, utilizing packet capturing software, to isolate malicious network behavior, inappropriate network use or identification of insecure network protocols.
• Identify gaps and areas for improvement in regards to policies, procedures, standard practices, and training programs to ensure company compliance with applicable federal, state, and client security standards
• Utilization of information security tools such as Burp Proxy, IBM Rational AppScan, Nessus, Kismet, Airsnort, NMAP, Ethereal, WebInspect and Nikto, and manual techniques to exploit vulnerabilities in the Open Web Application Security Project (OWASP) top 10 including but not limited to cross-site scripting, SQL injections, session hi-jacking and buffer overflows to obtain controlled access to target systems.
• Perform continuous ethical hacking on the internal environments for potential threats and vulnerabilities, and participate in vulnerability assessments (both internal and external) for networks and applications
• Work with internal and external resources on performing and reporting the annual penetration testing to include full white-hat testing; Must provide a detailed report and recommendations for improvements and remediation where applicable
• Work with internal and external stakeholders to assess security requirements, and approve/modify designs as needed
• Ensure vulnerabilities are mitigated in a timely fashion in accordance with the applicable compliance requirements
• Support incident responses for all security-related issues 24/7
• Participate in reviewing and responding to all 3rd party vendor and supplier review questionnaires and customer audit questions and remediation, including providing compliance-specific support documentation
• Ensure the security for all systems is actively maintained and hardened against industry, legal, and compliance standards
• Provide technical security review oversight of new architectural solutions, applications, and product offerings and identify potential risks and compliance requirements
• Ensure security systems are in place to protect company assets, information and client privacy are developed, maintained, and compliant
• Evaluate Information Security policy compliance, including internal and external audit initiatives and training programs for overall effectiveness
• Execute the long-term strategy for the Information Security department and provide input for the roadmap/action plan
• Manage multiple competing priorities in a fast-paced SaaS environment
• Support and participate in an on-call schedule for the Information Security team
• Manage third party security services, application vendors, evaluate new vendors and services
• Support incident responses for all security related issues in accordance with defined company policies and procedures; Act as a lead team member for the Security Incident Response Team (SIRT)
• Provide technical support for risk and compliance initiatives to ensure adherence, and for all compliance and audit efforts (internal and external), certification, and other compliance efforts including SOC2 Type II, PCI DSS 2.0-3.0, ISO27001/2 and FISMA; This will require the authoring and maintenance of policies and procedures

Desired Skills and Experience:
• An expert skillset and a subject matter expert from a design, implementation, and a hands-on support standpoint within a network segmented, multi-domain Microsoft Active Directory (AD) environment
• Hands-on experience with proxy, Intrusion Detection System (IDS), Intrusion Protection System (IPS) and SPAM filters
• Hands-on working experience with Microsoft SQL Server 2012
• Working knowledge of agile and waterfall software development lifecycle methodologies
• Proven track record in building, leading, and driving technical design and operational security teams
• Hands-on experience in compliance/remediation efforts of relevant domestic and international security standards and best practices such as PII, PCI DSS, ISO 27001/2, SOC, OWASP, NIST, and other compliance standards
• Experience in security and compliance policy and process and procedure creation and ongoing management

Requirements:
• Must have a minimum of five (5) years of experience within the last seven (7) years in this job class.
• Preferred certification in one or more of an industry recognized security certification
• 3+ years of experience in one or more of the following Database Environments: Microsoft SQL Server, Oracle, Sybase, DB2 and MySQL.
• Experience reviewing or auditing IT general controls, network infrastructure, information security, SDLC, web server, database server, operating systems, and/or software applications to ensure compliance is maintained
• Experience in the implementation and management of both offensive and defensive security technologies in conjunction with commercial and federal information security compliance initiatives
• In depth technical understanding of network, systems, application, and cloud security
• Working knowledge of agile and waterfall software development lifecycle methodologies
• The ability to utilize analytics to help decision making in complex environments
• Highly developed cross-departmental leadership skills and the proven ability to develop successful partnerships with internal and external stakeholders
• Highly developed oral and written communication skills and strong presentation skills.
• Ability to simplify and report on complex technical functions and risks to senior management
• 3+ years Hands-on working experience with Windows Server 2012
• 3+ years practical experience in TCP/IP Networking.
• Knowledge of Industry Standards, e.g., ISO 17799/27001, NIST Publications and other Industry Related Security Standards.
• Knowledge of Industry Regulations, e.g., Gramm-Leach-Bliley Act (GLBA), Payment Card Industry (PCI) or Corporate Compliance.
• Bachelor's Degree in Computer Science or related IT field.
• CISSP, CISM, MCSE, CCNA certification required