Compliance Analyst, Technology - Security Analyst II

GapTech is looking for a responsible individual, preferably with at least 5-years’ experience in Information Security as related to Compliance Management. This individual will support the Compliance Program by assessing compliance to various external regulations including PCI DSS, SOX, and the Privacy risk posture for current business initiatives, partnering with key stakeholders to drive remediation of security issues, reporting critical risks to leadership, and aligning the security program against common security frameworks (e.g., NIST CSF, 800-53, etc.). This role will work closely with key business partners to develop strategies to maintain ongoing compliance and reduce any identified risks across new projects.

Responsibilities:

  • Monitor and assess compliance with Information Security standards and regulations as it relates to the retail industry e.g. ISO 27001/27002, Cloud Security Alliance, SOX, and PCI DSS
  • Develop and manage multiple risk management programs and initiatives, based on best practice frameworks (e.g., ISO and NIST frameworks); Assess compliance with control structures
  • Communicate effectively regarding security, privacy, risk, and compliance to senior business leaders and fellow team members; report status, findings and risks to operational and executive management
  • Develop and maintain a Vendor Risk Management Program, including performing third party security reviews for new vendors, engaging with key business partners in successful vendor selection and onboarding, and monitoring existing vendors to ensure annual compliance to Gap security standards
  • Partner with Legal to define and review Information Security Agreements to ensure vendors are aligned with Gap Inc.’s security policies and standards
  • Develop a program to review and assess IT control environments for compliance with updated policies and standards
  • Partner with internal and third party technology teams, Internal and External Auditors to review and update security controls and processes
  • Work closely with the Risk Management team for communication of the company’s security posture, including compliance issues, risks, and incidents to upper management and customers

Qualifications:

  • 3-5 years’ experience leading IT compliance programs
  • 3-5 years of experience developing and maintaining policies and standards and an effective Vendor Management Program
  • Ability to manage staff who is not directly reporting to you
  • Ability to deliver on goals in an environment that is ambivalent towards compliance, policy, and risk
  • Ability to communicate effectively with all levels of management, translating technical risks into business terms that can be understood by executive management
  • Ability to manage vendors
  • Detailed knowledge of PCI, COBIT, SOX GCC, ISO 27001, ITIL, HIPPA, Privacy Acts, and other IT compliance frameworks
  • Experienced with MS Suite of tools
  • Attention to detail, patience and flexibility
  • Multitasking and time management
  • Excellent verbal and written communication skills
  • Certified Information Systems Security Professional (CISSP), Qualified Security Assessor (QSA), or Certified Information Systems Auditor (CISA) preferred
  • 4 year college degree preferred


Back to top