Senior IT Compliance Analyst, Security

Position Description

The Sr. IT Compliance Analyst should have in-depth technical knowledge and be the subject matter expert in IT Compliance Governance and audit compliance. In this role, the Sr. IT Compliance Analyst will work with the IT management team to evaluate controls, perform assessments to improve efficiency and effectiveness of the internal controls, monitor regulations for new or changed requirements, and coordinate with internal and external auditors to ensure compliance

The Sr. IT Compliance Analyst will be responsible for day to day planning, testing and coordination all IT related SOX and PII compliance processes, assessing IT general controls in connection with strategic initiatives, change management, technology operations, security and configurations as well as 3rd party service providers. The individual will also be responsible to facilitate control reviews to accommodate new business areas as well as changes in processes. Assist IT management in identifying gaps between policy and process, developing recommendations to remediate control weaknesses.

The Sr. IT Compliance Analyst will also be responsible for developing and maintaining relevant metrics utilizing the Tanium security compliance tool to track and trend overall health of our IT compliance posture, control deficiencies and remediation plans. Provide group and individual training classes for education and awareness to facilitate an acceptable IT compliance posture. This position will execute the SSAE 16 Audit reviews of key third party service providers to ensure compliance obligations are being met including the monitoring of any remediation plans to address their weaknesses

The Sr. IT Compliance Analyst will serve as a subject matter expert on IT Business plan initiatives. In addition, this position will be expected to coach and serve as an IT Compliance expert by providing direction to cross functional teams and ensuring that policies, procedures, and compliance leading practices for financial controls, data classification and privacy met our security standards and regulatory obligations.

Position Requirements

  • Define, execute and maintain a framework for IT Compliance management including validation and classification methods.
  • Plan, design and execute IT compliance testing, controls assessment and documentation across all domains for IT General Controls, (PCI DSS) Payment Card Industry, Data Privacy, HIPAA and other compliance requirements, as appropriate
  • Serve as IT general controls subject matter expert and trusted advisor; partner with the IT Security, Network and Application teams to evaluate the design and effectiveness of the control environment, both operational and technical; to develop trending for remediation efforts and overall compliance with regulatory and operational standards, and to build compliance programs including detailed exception reporting and complex configuration monitoring requirements
  • Provide direction and guidance in pre-implementation reviews of new systems to ensure proper controls are implemented and executed to meet compliance and leading practice standards
  • Lead day-to-day testing and reporting of IT compliance; monitor internal compliance standards against information security policies and processes.
  • Validate information security key controls to identify control risks, analyze root causes and trends in potential control weaknesses; suggest new controls to meet compliance standards where applicable
  • Maintain awareness of external regulations for new or changed requirements within IT and identify industry standards for core IT processes (e.g. NiST, PCI, ITIL, data privacy etc.)
  • Partner and facilitate internal and external audits within IT, as well as periodic assessments to address specific risks
  • Work with security team, audit, legal and HR management teams as required, including overseeing annual external ITGC Audits.
  • As an integral member of the team, exhibiting ownership, follow through, initiative, awareness and effective communication with peers and management and ability to speak to details of compliance initiatives to both the business and technical teams
  • Prepare audit summaries and results with senior IT management providing observations, recommendations and conclusions as well as evaluating management remediation action plans and related status reporting
  • Provide accurate, timely communications to IT and impacted management to discuss identified deficiencies, leading practices and recommendations for implementation of modifications to improve compliance and mitigate risk
  • Develop and deliver information security Compliance related training and awareness programs
  • Maintain a strong knowledge base of industry and technology trends as they apply to IT Compliance management.

IT Compliance Methodology:

  • Ability to help design and implement industry standard Compliance management practices across IT Operations and Development teams
  • Champion of IT Compliance methodology by demonstrating ownership of the design aspects of the operations lifecycle
  • Passionate about continuous improvement and ownership of security controls across systems and processes
  • Consistently shows the ability to mentor others in the assessment of Compliance as it relates to CarMax’s&reg: data.
  • Understand level of Compliances and exposure as it relates to systems, services and networks.
  • Driver of IT Compliance awareness type activities with proven results.

Customer Interaction and Business Knowledge:

  • Ability to understand the business requirements as well as provide a proposal of the appropriate information Compliance resolution to key controls.
  • Broad understanding of the business processes supported across all team’s environments.
  • Ability to lead customer/remediation meeting(s) for IT Compliance definitions, needs assessments and design reviews that impact all areas of business systems.
  • Collaborate with Internal Audit and Legal departments for control assessment improvements.


  • Able to help influence the IT Compliance direction of others in order to drive corporate Compliance acceptance to successful completion within the IT Compliance standards and guidance.
  • Proven ability to effectively communicate remediation and prevention approaches via leading practices
  • Ability to help develop and deliver IT general controls compliance awareness training and business understanding for business partners, engineers, developers and analysts.
  • Ability to drive through obstacles and time constraints to successfully deliver remediation to completion

Additional Responsibilities:

  • Partner with the Information security and IT teams to gain consensus on Compliance remediation approaches and establish key controls, security standards, patterns, policies, and leading practices for Compliance management
  • Investigating new standards, techniques and research ongoing industry developments for information Compliance management practices.


Strong understanding of key compliance regulations such as Sarbanes-Oxley, GLBA, HIPPA and Payment Card Industry (PCI), plus external regulations new or changed within IT and identify industry standards from which to modify core IT Compliance processes staying ahead of industry trends and emerging threats.

Experience in execution of an enterprise IT Compliance Governance framework, including the identification, assessment and mitigation of Compliance exposure: understanding how to balance the companies Compliance appetite and its overall impact

Must have detailed knowledge and experience with IT Controls across all domains and Operational testing procedures as it pertains to SOX, PCI and privacy

Demonstrated ability to compare and contrast alternative security Compliance approaches and methodologies while assessing Compliance both quantitatively and qualitatively to meet the business needs

Proven experience with influencing without authority to in order to gather test evidence and translate compliance findings into actions

Able to assess, identify, and document third party system compliance deficiencies and recommends solutions.

Excellent communication skills to include but not limited to verbal and written communication; delivering organized presentations; able to tailor message to the audience; and facilitate group discussions with diplomacy and seek diverse opinions

Excellent analytical, troubleshooting, and problem solving skills and performs well under fast paced, high pressure or stressful situations.

Possess strong organization and time management skills.

Ability to learn the business processes implemented in the team’s applications in Demonstrated flexibility

Education and/or Experience:

Bachelor’s degree in Business, with solid IT audit or compliance experience, or Computer Science, with solid business and IT Audit/Compliance experience.

In depth knowledge of information security, IT Compliance management industry frameworks and standards: NIST, OWASP, SANS, ISO-27001/2, SANS, and Cobit

5+ years working experience with IT Compliance management programs, IT Compliance or Auditing experience, controls testing, conducting ITGC and PCI assessments and leading related project teams as a security subject matter expert in privacy, data security and control issues with technologies such as Cloud, SaaS, Linux, Windows, VMware, Intrusion Prevention,

Previous working experience and knowledge of two or more security functions (IT Compliance Assessor, QSA, Security Specialist, IT Auditor)

Possession of industry certifications: CISA, CRISC, CISSP, CIA, CISM, PCI

Dedication and commitment to world class service and to exceeding customer expectations

Desire to keep current with technology and emerging IT Compliance trends

Back to top