DoD and FedRAMP Compliance Management Analyst

Job Description

PRIMARY RESPONSIBILITY: Acts as an advocate in development of overall information security program globally. Creates and performs global IT Risk and Compliance assessments. Assists in development and execution of information security, compliance, and risk best practices globally through audits, assessments, and policy-making.

JOB SUMMARY: Managing our DISA impact level 4 and FedRAMP JAB authorization for our managed private cloud and AWS platform. This includes control, policy, procedure, and standard development and implementation. Audit preparation, audit management, client audit support and ongoing continuous monitoring program management. Lead DoD and FedRAMP compliance programs, which includes building security plans, policies, procedures, governing the internal compliance program functions, and managing POA&Ms and risk registers. In addition, the ideal candidate will have lead their FedRAMP and DoD audits for a cloud platform or a large internal system.

• KNOWLEDGE/SKILLS/ABILITY: Advanced knowledge gained through an IT Risk Management, Governance, Risk and Compliance, Information Security, Data Privacy, Vendor Management, and/or Business Continuity Management role in a global organization, professional services/consulting firm, or within a related industry. Understands fundamentals of Network Security, Data Center operations, build pipeline, and cloud infrastructure security. Ability to develop and analyze reports from multiple sources including: Cisco, Sophos, Critical Watch, Expose Rapid 7, SAINT. Familiarity with Vulnerability Scanners and Robot Process Automation. Deep understanding of Cloud Computing technologies and migration challenges. Ability to implement security controls, SCTMs. Technology/software sales, consulting, or equivalent skills. Ability to architect/deploy/operate solutions built on Multi Cloud Web Services. Ability to develop automation processes and controls across multiple business units. Ability to apply knowledge of vulnerability management, risk management assessment, and IA policy and procedures to develop, implement, and maintain a secure business environment. Demonstrated organizational skills and ability to manage multiple projects at once, drive execution and meet deadlines. Strong technical writing and verbal communication skills and the ability to present analysis and conclusions with clarity and professionalism to all levels of management. Proficiency with MS Word, MS Excel, MS PowerPoint and MS Visio.
• JOB COMPLEXITY: Leads cross-functional team members in strategy development and implementation of risk framework and compliance solutions. Independently performs complex and often unique work assignments and problem resolution. Serves as the subject matter expert to ensure documents, projects, process, and product initiatives comply with regulatory and legal requirements and enterprise policy. Oversees implementation of operational and non- operational risk management programs by providing guidance and assistance to business units with the identification, evaluation, understanding, management, and communication of risk. Provides data and analytics in support of the risk officer and risk committees. Directs analysis and root cause identification. Develops and recommends compliance solutions impacting the enterprise. Develops Risk Assessment process, charters, policies, methodologies, and reports. Leads cross-functional workgroups, communication strategies, and planning meetings to develop solutions that meet the objectives of both the business and the IT Risk, Compliance, and Information Security team. Develops appropriate data and analytics that deliver appropriate data to communicate risk at the executive level. Develops training and communication of Information Security, IT Risk, and compliance. Maintains expert knowledge of the competitive/regulatory landscape and company's key challenges. Coordinates and responds to regulatory requirements and requests, and ensures the execution of examinations. Conducts IT Risk and Information Security due diligence activities relative to vendors and third parties. Conducts risk assessments and documents findings where the deviation from an information security or IT Risk policy or standard is desired. Ensures risk remediation plans meet key business objectives and partners with the business owners to follows through with corrective action steps. Provides subject matter expertise on areas of security, privacy and regulatory compliance to Sales, Marketing, Product Development, Legal and Policy teams. Conducts detailed analysis of risk rating, risk appetite, and provides data driven summaries to business leaders. Conducts annual audits for industry specific reports, including PCI, ISO27001, SOC, GDPR, HITRUST, SOX, FEDRAMP, HIPAA, and CDSA. Documents and provides detailed analysis of findings where deviations exist through internal or external testing. Assists policy personnel in technical conversations with policy makers, industry bodies and other third-parties to advance Rackspace's message. Provide feedback to product management in the development of trust-related features, and supports regional security and compliance accreditation projects. Develops internal control testing and documented processes. Updates internal control matrices where necessary to support annual changing environments. Adapts and creates processes as applicable, including changes in processes or reporting metrics. Executes as the conduit between internal control owners and external auditors, including kickoff meetings, interview requests, closing meetings, and evidence gathering. Executes internal customer audits which include scheduling, presentation of the Rackspace compliance portfolio, and overseeing the successful visit in conjunction with Account Managers. Responsible for adhering to company security policies and procedures as directed.
• SUPERVISION: Works independently, receiving guidance on unique projects or assignments. Determines methods and procedures on assignments and may coordinate activities of other personnel. May provide guidance and training to new team members.
• EXPERIENCE/EDUCATION: High school diploma or equivalent required. Bachelor’s degree in Computer Science, Computer Studies, Information Technology, Information Security or a related field is preferred. At least 8 years of related experience, including at least 6 years of experience managing matrixed teams is required. Security certification for IAM and IAT III, and CISSP required. Java, C++, Python, JavaScript, Network+, CCNP, ISA, CAP, CISA, ITIL, GRCP, CRISC, ISSEP, GCED, GCIA and/or CGEIT certifications preferred.
• PHYSICAL DEMANDS: General office environment. Moderate levels of stress may occur at times. May require long periods sitting and viewing a computer monitor. No special physical demands required. Schedule flexibility to include working a weekend day regularly and holidays as required by the business for 24/7 operations. Occasional travel, less than 10%.
• PERSON SPECIFICIATION: Must be able to pass a Public Trust background check at hire. Must be a U.S. Citizen. May require further DOD security clearance.
• POLICY COMPLIANCE: Responsible for adhering to company security policies and procedures and any other relevant policies and standards as directed.

#LI-DD1