IT Compliance Analyst

Job Summary

The IT Compliance Analyst will perform assessments of our internal company compliance with the Payment Card Industry Data Security Standard (PCI DSS) version 4. This individual will have extensive interactions relating to technical, procedural, and documentation controls with a wide range of technology and business functions that are required to be compliant. Activities may include assessing, managing, driving and tracking all PCI compliance-related activities, including the identification of compliance gaps, the development of remediation plans, monitoring compliance status, and ultimate completion of Reports of Compliance (RoC), Self-Assessment Questionnaires (SAQ), and Attestations of Compliance (AoC) consistent with all PCI Standards Security Council (SSC) requirements and specifications. 
The individual is expected to possess superior skills in security, risk and multiple technologies, problem-solving, project management, compliance/risk analysis, knowledge of information security processes and technology, technical report writing, and strong client handling and consultative skills. This professional should also have experience in more than one of the following skills: performing security assessments of networks, systems, policies, and processes; applying information security and risk-related frameworks (e.g., ISO/IEC 27001/2, NIST 800-53, OWASP, etc.). 

Responsibilities

• Conduct PCI DSS compliance assessment, resulting in a Report on Compliance, Self-Assessment Questionnaires, and the corresponding Attestation of Compliance for either 
• Conduct PCI DSS readiness assessment, providing guidance and recommendations in preparation for formal compliance assessment 
• Interact with various customer technical groups, business groups, subject matter experts, and key stakeholders to conduct interviews and identify and collect evidence required for the assessment 
• Perform other (non-PCI) Security Assessments focused on security infrastructure technology, people and processes vs. requirements defined in common or proprietary security frameworks 
• Identify areas requiring remediation (i.e., issues or gaps) or potential areas of improvement within the compliance process 
• Demonstrate critical thinking and creative analysis techniques in executing tests and distilling test results, and providing actionable recommendations for mitigation of gaps and improvements or enhancements to existing processes and procedures 
• Maintain and regularly communicate project status for stakeholder and management review 
• Create and deliver reports that effectively capture, explain, and communicate the results of assessments to varying technical and business audiences 

Qualifications

• 5+ years’ experience in Information Security and performing security assessments 
• 1+ years’ experience as a certified ISA or QSA (version 3.2.1 of the PCI DSS) 
• Strong background in Information Technology Infrastructure 
• Maintain a current security certification (i.e., CISSP, CISM, ISO 27001 Lead Implementor, METI – Registered Information Security Specialist) 
• Ability to work collaboratively with key customer stakeholders (e.g., process owners, technical resources ) and other team members 
• Excellent communication skills, both written and verbal, and the ability to communicate complex security concepts to technical and non-technical audiences, including senior leadership 
• Demonstrable time and technical project management skills 
• Experience with Microsoft Office products and the ability to develop clear, concise presentation materials and reports using PowerPoint, Word, and Excel 
• Experience or familiarity with Cloud environments and or Cloud Security 
• Experience or familiarity with Application Security 
• Experience or familiarity with Information Systems security 
• Experience or familiarity with Network, design, configuration, and security 
• Experience or familiarity with conducting Risk Assessments 

Additional Desired Qualifications and Skills: 

• Current ISA or QSA Certification with demonstrable PCI DSS v4 experience 
• Current audit certification (i.e., CISA, GIAC GSNA, ISO 27001 Lead Auditor, IRCA ISMS LeadPrincipal Auditor, IIA Certified Internal Auditor) 
• Familiarity with multiple security frameworks (NIST, ITIL, CobiT, ISO) and regulatory (HIPAA, GLBA, SOX, etc.) 
• College degree in technical discipline desired 
• Additional PCI SSC certifications (e.g., ASV, QPA, ISA, P2PE Assessor 3DES Assessor, etc.)