Senior Product Security Compliance Manager (remote)

04 Oct 2024

Vacancy expired!

For this role you may work remote or at SAS HQ in Cary, NC #LI-REMOTE #Dice #LI-WR1

Are you a problem solver, explorer, and knowledge seeker - always asking, "What if?"

If so, then you may be the new team member we're looking for. Because at SAS, your curiosity matters - whether you're developing algorithms, creating customer experiences or answering critical questions. Curiosity is our code, and the opportunities here are endless.

What we do

We're the leader in analytics. Through our software and services, we inspire customers around the world to transform data into intelligence. Our curiosity fuels innovation, pushing boundaries, challenging the status quo and changing the way we live.

What you'll do

We're looking for a Senior Product Security Compliance Manager to join our R&D Quality & Compliance Team to help drive visibility, understanding, and compliance with application security policies. As an R&D compliance specialist, you will perform product security compliance audits, identify and qualify technical solutions / approaches, and drive prioritized remediation of control and compliance findings. You will partner with global project teams and management to identify areas of risk, recommend controls, and influence changes and decisions. As a member of the R&D Quality and Compliance team you will assist with both internal and external audits to determine present and future risks, as well as prepare reports to help management make decisions around risk remediation, acceptance, and avoidance.

You will:
  • Lead compliance program/project initiatives, audits, and benchmarking of R&D product security policies against best practices and standards, which may include ISO 27001, NIST 800-53, and other NIST special publications.
  • Participate in security investigations and compliance reviews of R&D developed products as required by internal or external audit plans.
  • Coordinate with stakeholders to ensure all product security related policy exceptions/risk acceptances are managed in accordance to company policies and standards
  • Complete product security risk assessments with emphasis on processes, infrastructure, security, compliance with internal and external regulations, and major company projects.
  • Prepare and deliver compliance reports to leadership that effectively communicate trends, highlight relevant findings or risks, and identify remediation recommendations.
  • Interpret internal policy and commercial and government regulatory compliance requirements (ISO, FedRAMP, PCI-DSS, etc.) into technical requirement specifications for engineering and operations teams.
  • Leverage knowledge of, and experience in, leading practice controls across hyperscale Cloud Service Providers (coupled with modern software development and delivery) to consult with technical teams to collaboratively identify, evaluate, and recommend architecture designs and solutions to solve for compliance and control requirements and gaps.
  • Collaborate with cross-functional teams (including engineering, product management, sales operations, and finance) to develop business- and risk-appropriate control implementation solutions that meet all required corporate policies.
  • Research and communicate the latest product security compliance best practices and updates, staying abreast of new governance initiatives that may impact our customers or business processes.
  • Maintain knowledge and understanding of internal systems/business changes, which may impact effectiveness of internal controls.
  • Collaborate with project and program management to define and deploy data solutions to proactively identify, evaluate, and monitor potential compliance violations and findings.
  • Provide requirements to engineering and DevOps to support incorporating automated compliance tools and processes into the CI/CD pipeline.

What we're looking for
  • 7-9 years of relevant application security / assurance and / or product security audit experience (with bias towards control design and implementation).
  • Ability to communicate clearly to both technical and non-technical audiences, risks, threats, and vulnerabilities identified during assessments.
  • Ability to communicate clearly and concisely with internal and external parties, building strong partnerships with partner organizations.
  • Hands-on experience with one or more of the following security standards and technical / compliance requirements: ISO 27001, NIST 800-53, FedRAMP Moderate, ITAR.
  • In-depth knowledge of PaaS and IaaS security controls and architecture of leading hyperscale Cloud Service Providers.
  • Hands-on experience with one or more of the following hyperscale Cloud Service Providers is required: AWS, Azure, or GCP.
  • Strong knowledge of infrastructure, database, and application security.
  • Proficiency with commonly used SaaS tools, such as JIRA, ServiceNow, O365 apps, etc.
  • Experience with SCA, SAST, DAST, and/or penetration testing workflows, tools, and methodologies.
  • You're curious, passionate, authentic and accountable. These are our values and influence everything we do.

The nice to haves
  • Previous experience with delivering security compliance, risk management and IT audit programs at tech companies preferred.
  • CISSP, CSSLP, CCSP, CISA, or AWS Security or Azure Security certifications
  • Experience with one or more of FedRAMP High, SOX, PCI, HIPAA, etc.
  • Experience with open source license compliance and component management (SBOMs).
  • Experience assessing and measuring software process maturity and secure development lifecycles against software security maturity models (SAMM, BSIMM).
  • Experience implementing and auditing compliance in CI/CD pipelines.
  • Experience with encryption export regulation compliance and cryptography export controls.
Why SAS

We love living the #SASlife and believe that happy, healthy people have a passion for life, and bring that energy to work. No matter what your specialty or where you are in the world, your unique contributions will make a difference.

Our multi-dimensional culture blends our different backgrounds, experiences, and perspectives. Here, it isn't about fitting into our culture, it's about adding to it - and we can't wait to see what you'll bring.

Additional Information:

To qualify, applicants must be legally authorized to work in the United States, and should not require, now or in the future, sponsorship for employment visa status. SAS is an equal opportunity employer. All qualified applicants are considered for employment without regard to race, color, religion, gender, sexual orientation, gender identity, age, national origin, disability status, protected veteran status or any other characteristic protected by law. Read more: Equal Employment Opportunity is the Law. Also view the supplement EEO is the Law, and the Pay Transparency notice.

Equivalent combination of education, training and experience may be considered in place of the above qualifications. The level of this position will be determined based on the applicant's education, skills and experience. Resumes may be considered in the order they are received. SAS employees performing certain job functions may require access to technology or software subject to export or import regulations. To comply with these regulations, SAS may obtain nationality or citizenship information from applicants for employment. SAS collects this information solely for trade law compliance purposes and does not use it to discriminate unfairly in the hiring process.

All valid SAS job openings are located on the Careers page at www.sas.com. SAS only sends emails from verified "sas.com" email addresses and never asks for sensitive, personal information or money. Should you have any doubts about the authenticity of any type of communication from, for, or on behalf of SAS, please contact us at Recruitingsupport@sas.com before taking any further action.

  • ID: #46206076
  • State: North Carolina Caryhq 27513 Caryhq USA
  • City: Caryhq
  • Salary: USD TBD TBD
  • Job type: Permanent
  • Showed: 2022-10-04
  • Deadline: 2022-12-01
  • Category: Et cetera