Calance Job Opening - Information Security Program Manager (Remote)

Calance Job Opening

Job Title	Information Security Program Manager (Remote) - ID:36359
Duration	Permanent
Start Date	ASAP
Job Skills	� 7+ years of experience 5+ years of information security governance, risk and compliance experience for a global organization (preferably with reliance on cloud computing, but not required) Looking for someone who can not only maintain the Security certifications but also who needs to know it and can speak/work with the auditor. HM is not looking for a mediator or a liaison type of person. This person should be able to communicate effectively with the auditor and what evidence to prove this and how to get the evidence from Heartflow side. Policy Management – updates, creation of new policies, etc 3rd party risk management: doing the security reviews for 3rd party risk, what we need to do to assess the risk ; Do not need a lot of hand holding - Write up a simple recommendation Comfortable working with their boss, Someone who isn’t needy – This person’s manager is a first-time manager who has limited expertise in certifications, limited management of human beings (Auston is mentoring this person) So FYI, Manager isn’t going to be super strong, not a SME or technical. Oversees mitigation of identified gaps for required certifications (ISO 270001, HIPAA, HITRUST, etc.), Attestations (i.e. SOC 2 Type 2) and frameworks (NIST 800-53, including but not limited to documentation and controls) to completion Security Training and Awareness experienceIt’s a plus but needs to have a practical understanding of at least two security control frameworks and associated policy requirements from the following set: ISO 27001, NIST CSF, NIST 800 800-53, NIST 800-171, NIST 800-82, Cloud Security Alliance Cloud Controls Matrix (CSA CCM), SOC2, PCI/DSS
Location	Redwood City, CA
Date Posted	12/08/2020

We are dedicated to making our products and technologies as secure as possible. Reporting to the Governance, Risk and Compliance (GRC) Manager, the Program manager will actively participate in supporting the strategy to enhance our governance, risk, and compliance programs; aligned to business priorities and supported by authoritative security frameworks. This is a critical self-starter role responsible for driving audit/certification compliance, third-party risk management, training/awareness, and policy management programs. This hands-on role will take the lead on ensuring our company maintains its regulatory cybersecurity certifications (ISO 270001, HITRUST 9.3, etc.) and SOC 2 Type II Attestation.

We are looking for an experienced, motivated, self-starter who not only knows what to do to make these programs successful but can execute and deliver with minimal oversight. The candidate should have strong analytical skills, keen attention to detail, and the ability to successfully prioritize and execute on multiple tasks and meet deadlines. The candidate should be able to motivate team members in a positive manner both within and external to Information and Security Services to contribute (evidence, documentation, interviews, etc.) to maintain our company’s regulatory cybersecurity certifications. This person will serve as a subject matter expert with regards to:
� information security regulatory requirements
� common vendor related risks (both technical and workflow based)
� associated information security policies and procedures

This person should be highly organized and possess in-depth knowledge of applying, selecting, and testing the NIST family of security controls and tracking compliance with the associated control requirements. The Governance Risk and Compliance program is a comprehensive program and this person may be called upon to contribute to other areas of the program as needed.

Job Responsibilities:
� Audit/Certification Compliance
� Audits information systems, platforms, and operating procedures in accordance with established corporate and regulatory standards for efficiency, accuracy, and security.
� Evaluates infrastructure in terms of risk to the organization and works with the CorpIT and Information Security Operations teams to establish controls to mitigate loss.
� Determines and recommends improvements in current risk management controls and implementations of system changes and upgrades.
� Creates audit planning memos in conformance Internal Audit Department procedures.
� Documents business processes, process narratives and flowcharts for identifying risks and mitigating controls.
� Develops risk and control matrixes and test plans for key controls.
� Identifies control gaps and tests the design of existing controls.
� Oversees mitigation of identified gaps for required certifications (ISO 270001, HIPAA, HITRUST, etc.), Attestations (i.e. SOC 2 Type 2) and frameworks (NIST 800-53, including but not limited to documentation and controls) to completion
� Conducts recurring internal audits and assessments of security controls and documentation in anticipation of re-certification and determining readiness to achieve new certifications
� Provide recurring report of controls mapped across multiple regulatory requirements and frameworks for visibility into defense mechanism strengths and gaps
� Collaborate with appropriate teams to execute various security projects (upgrades, new implementations, etc.); evaluate and implement new security technology controls and solutions

� Third-Party Risk Management
� Implement and manage a vendor risk management program; review third party vendor contracts to ensure appropriate security and compliance controls are in place and functioning effectively
� Evaluate requests for exception to established security policies, guidelines, and standards.
� Document all approved exceptions and review on a recurring basis for continued necessity
� Perform information security risk evaluations/reviews of vendor software, solutions, and services to assess risk imposed associated with the use of vendor software, solutions, and services
� Document all approved reviews and audit on a recurring basis for continued necessity

� Training and Awareness
� Develop and implement a security training program that addresses the threats, risks, and raises the overall security awareness throughout the enterprise.
� Responsible for managing the security training program and documentation library.
� Collaborate with security, IT, GRC, legal, privacy, compliance, and engineering on training and documentation requirements.
� Collaborate on internal communications for information security messaging for the enterprise.
� Work with security leadership to develop a strategy for security training and awareness programs.
� Develop and report on metrics for training and awareness to leadership.
� Author and document policies, standards, procedures, and guidelines that meet gathered requirements
� Day-to-day management of the security training platform as required
� Develop targeted phishing training campaigns as well as other training programs for all audiences (technical and non-technical).
� Help security leadership with developing effective presentations for internal and external stakeholders.
� Work closely with Legal, Compliance, Product, and Engineering on other requirements for training as required.

� Policy Management
� Develop, document and publish Information Security policies, procedures, standards and guidelines based on industry best practices and regulatory compliance requirements
� Develop, maintain, and document a framework to continuously maintain information security policies, standards and guidelines; and oversee the approval and publication of risk policies
� Perform periodic audits on company policies, procedures, and processes
� Ensure policies are aligned to leading information security frameworks and meet cybersecurity regulatory requirements
� Contribute to the development and implementation of a policy compliance framework using a GRC platform coupled with a variety of systems of record
� Identify gaps and conflicts in policy governance structure and make recommendations to address them and drive changes as required
� Shepherd policy changes through a formal governance process practiced by a Policy Approval Committee

Skills Needed:
� 7+ years of experience
� 5+ years of information security governance, risk and compliance experience for a global organization (preferably with reliance on cloud computing, but not required)
� Solid technical background with an applied understanding of common attack methodologies; common types of security risks and mitigation strategies
� Experience with GRC tools, including API-driven applications to a variety of systems of record
� Exceptional experience developing effective, pragmatic information security policy and standards frameworks
� Outstanding skills at building and continually strengthening relationships with teammates and partners, thereby influencing key decisions they make
� Ability to bridge gaps of understanding between business and technical partners
� Outstanding analytical and problem-solving skills
� Practical understanding of at least two security control frameworks and associated policy requirements from the following set: ISO 27001, NIST CSF, NIST 800 800-53, NIST 800-171, NIST 800-82, Cloud Security Alliance Cloud Controls Matrix (CSA CCM), SOC2, PCI/DSS
� Solid project management skills, especially in a cross-functional environment
� Strong team-oriented interpersonal and communication skills; ability to present technical information in a way that establishes rapport, persuades others and gains understanding.
� Effective communication and presentation skills with demonstrated ability to prepare documentation and presentations for technical and non-technical audiences
� Self-starter, positive attitude, ability to work independently, enjoys learning and staying current with industry developments, regulations, and best practices

Preferred Skills and Experience:
� Strong knowledge of security controls in industry-standard frameworks including ISO 27001, SOC 2 Type II, HITRUST 9.x and the NIST CSF
� Preference will be given to those candidates who can demonstrate an in-depth technical understanding of common risks imposed by third-party applications and associated mitigation strategies
Experience working at a cloud service provider company spanning multiple countries is preferred but not required

View Other Calance Jobs

by Category

by State

by Date

IRV-DOM01

*CONTACT US*		*ABOUT CALANCE*
recruiting@calance.com Mission Viejo, CA ~ (800) 732-4680 Atlanta, GA ~ (866) 732-4680		Calance is a global IT Services firm specializing in end-to-end solutions for Development, Managed Service, Security, SAP, Project Control Integration and IT Staffing.Operating in the United States and India, Calance helps clients bring their ideas and strategies to life through talent, technology and tenacity.