Senior Compliance Specialist, Governance, Risk and Compliance
In this role, your responsibilities will include:
- Help oversee and mentor existing compliance analyst(s)
- Work with external auditors and controls owners on SOC 2 and ISO 27001/17/18 including:
- Ensure contracting is in place with external auditor to conduct attestation/certifications on an annual basis
- Confirm scope of SOC 2 and ISO audits
- Prepare the ISO scope documentation and Statement of Applicability (SOA)
- Develop project plan including key milestones and timelines, working with HashiCorp’s auditor
- Identify and confirm control owners before the audit begins
- Prepare control owners for external assessments
- Prepare internal communications, including weekly status updates that outline the status of the program, potential risks and call to action items
- Host walkthroughs and prepare and/or review walkthrough agendas
- Perform the final review of evidence that is gathered by control owners before submitting to the auditors
- Monitoring and tracking control exceptions, if applicable, and help teams create remediation plans for gaps/audit findings
- Development of the system description, including working with relevant control owners for input
- Prepare and facilitate regular management reviews as part of ISO 27001
- Provide program oversight of the annual ISO Internal Audit
- Maintain and document the scope/boundaries of the compliance program (cloud accounts, repositories, Github teams, etc.) including updates, removals and additions.
- Identify and propose improvement to the Security Policy and participate in the annual Security Policy review
- Support requests received for Security Policy exceptions, including following up on approved exceptions expiring.
- Maintain documentation such as HashiCorp’s Common Control Framework (CCF), including developing new controls, completeness and accuracy of the information including framework mappings
- Work with controls owners to identify opportunities for automating manual processes and controls
- Develop, maintain and deliver on control owner enablement trainings
- Provide input on program metrics and collect and report on metrics data
- Support other GRC tasks as required
Must have qualifications
- Minimum of 8 years of related professional compliance and controls program experience
- Previous experience in a cloud environment, preferably AWS and/or Azure
- Advanced level knowledge either SOC 2 or ISO 27001
- Experience leading internal and/or external audits, working as the liaison between auditors and the business
- Comfortable working with both deeply technical and non-technical resources
- Flexible in daily hours (e.g. willingness to work longer hours during end of quarter and peak periods, and audit)
- Highly responsive
- Ability to prioritize and track multiple projects and tasks in parallel
Desired Qualifications
- Experience working in a large, multi-cloud environment
- Deep understanding of common security compliance frameworks, attestations and certifications
- Previous experience at a technology or SaaS company in a similar role
- Experience working with OSCAL
#LI-RemoteIndividual pay within the range will be determined based on job related-factors such as skills, experience, and education or training.The base pay range for this role in the SF Bay Area / NYC area is:$212,500—$250,000 USDThe base pay range for this role in Seattle Metro, Denver / Boulder Metro, New York (excluding NYC), Washington D.C., or California (excluding SF Bay Area) is:$194,700—$229,100 USDThe base pay range for this role in Colorado (excluding Denver / Boulder Metro) and Washington (excluding Seattle Metro) is:$177,100—$208,300 USD
