Job Description
Senior Compliance Specialist (Security GRC)
About the Role
We are looking for a Senior Compliance Specialist (Security GRC) to join the Security GRC team at HashiCorp. In this role you will focus on leading efforts to execute/facilitate ongoing compliance controls and processes, including performing user access reviews, tracking gaps and remediation plans, following up on overdue security training, and others. You will also perform controls testing and internal audits, and work with teams on control rollout and validation as needed.
We are looking for a self-motivated individual who thrives in a fast-paced environment, can seamlessly drive efforts across multiple projects, and work with various stakeholders.
Security at Hashicorp is a remote team. While prior experience working remotely isn’t required, we are looking for team members who can perform well given a high level of independence and autonomy.
In this role, your responsibilities will include:
- Monitoring and tracking of control exceptions, if applicable, for timeliness of remediation
- Monitoring and tracking of approved policy exceptions, if applicable, for upcoming expiration dates, performing outreach 30-60 dates before expiration.
- Perform internal audits, including the annual ISO internal audit
- Perform targeted and ongoing controls testing, and identifying opportunities for automation
- Document the scope/boundaries of the compliance program (cloud accounts, repositories, Github teams, etc.) including updates, removals and additions.
- Help drive the maturity of HashiCorp’s Common Controls Framework
- Identify opportunities to automate manual tasks, including continuous monitor of controls and audit evidence collection
- Drive the initiation and completion of User Access Reviews (UARs) on a quarterly basis
- Collect and report on metrics and data related to GRC processes, including access reviews and exceptions
- Monitoring of Security Awareness Training (SAT) and Secure Development Training for completion, and following up on incomplete and overdue training
- Support making changes to the controls framework using Github
- Help develop and document minimum control test procedures for each control in the controls framework
- Perform reviews of mappings in the controls framework to associated materials, such as the Security Policy, Security Exhibit, etc. upon changes being made to those materials
- Support the development of audit documentation such as prep agendas, walkthrough agendas, etc.
- Support and perform other GRC work and initiatives as assigned and needed
Must have qualifications
- Minimum of 8 years of related professional security, risk and compliance experience
- Previous experience in a cloud environment, preferably AWS and/or Azure
- Advanced level knowledge either SOC 2 or ISO 27001
- Comfortable working with both deeply technical and non-technical people
- Flexible in daily hours (e.g., willingness to work longer hours during end of quarter and peak periods, and audit)
- Highly responsive
- Ability to prioritize and track multiple projects and tasks in parallel
Desired Qualifications
- Experience working in a large, multi-cloud environment
- Deep understanding of common security compliance frameworks, attestations and certifications
- Previous experience at a technology or SaaS company in a similar role
- Experience working with OSCAL
LI-AD1
#LI-Hybrid
“HashiCorp is an IBM subsidiary which has been acquired by IBM and will be integrated into the IBM organization. HashiCorp will be the hiring entity. By proceeding with this application you understand that HashiCorp will share your personal information with other IBM subsidiaries involved in your recruitment process, wherever these are located. More information on how IBM protects your personal information, including the safeguards in case of cross-border data transfer, are available here: link to IBM privacy statement.”
