Sr Security Analyst IT Job Listing at Gap Inc. in SAN FRANCISCO, CA

Retail

Title: Sr Security Analyst IT
Location: US-CA-SAN FRANCISCO
Other Locations: US-CA-ROCKLIN
Major Responsibilities include:
Leading the following activities to plan implement and track IT compliance (PCI-DSS 2.0, EU Safe Harbor, HIPPA, Vulnerability Assessments, Penetration Testing,SOX etc):
• Ensure readiness for internal and external audits
• Schedule and oversee annual external compliance audits
• Schedule and conduct regular internal compliance checks
• Secure agreement on ownership of compliance related findings and issues
• Ensure remediation of critical compliance issues is prioritized, escalating as needed to meet compliance objectives
• Identify and engage key stakeholders in remediating compliance issues
• Oversee and drive remediation of key compliance issues, following up to ensure exceptions are remediated in a timely manner
• Track findings from various IT audits to completion of remediation efforts
• Manage vendors as needed (PCI Assessor, Pen Test vendor, etc)
• Design, develop and deliver compliance related training to IT each year to facilitate and promote security awareness. This will include mentoring and training teams as needed on regulatory and contractual audit programs, best practices, IT Security policies and standards as well as the risk assessment process
• Ensure our Business Partners have a clear understanding of the consequences of compliance vs. non-compliance
• Advocate compliance with security policies, legal, regulatory and contractual requirements
• Complete risk assessments for all known violations of IT Security Policies and Standards, performing the initial review, in depth analysis of mitigating controls and financial risk, and documenting the risk in an executive summary format
Leading the following communications efforts:
• Lead formal presentations of compliance status and issues regularly to IT teams and management, including a meeting, at least quarterly, with ITLT members or their delegates to relay status and issues
• Conduct periodic road shows” to communicate IT SGC roles, vision and purpose.
• Ensure serious compliance related concerns are communicated to responsible IT management in a timely manner
• Measure results through metrics and communicate to management monthly

Focusing on Customer Service and Soft Skills:
• Ensure that each encounter with our IT business partners is geared towards customer service: helping IT succeed in being compliant
• Ensure adequate research, analysis, and consultation are incorporated into key compliance related decisions
• Meet SLA’s for turnaround of risk assessments and monthly reporting, and annual deadlines for PCI ROC delivery
• Foster a trusting relationship between IT Security and key stakeholders to ensure the continued sharing of risk related information
• Understand individual work styles and tailor approach to ensure ease of transaction for key stakeholders. Be easy to work with”
• Gain an understanding of our Business Partners business needs and compliance related concerns during meetings, and ensure meeting minutes are documented
• Establish and employ risk based prioritization of compliance issues, and ensure alignment with business objectives
• Be an advocate for creative methods of attaining compliance where both business objectives and compliance requirements can be satisfied
• Be flexible with adherence to process if it will facilitate improved customer service on a case by case basis
• Be an advocate for civil, calm and professional discussion of divisive or contentious issues between IT Security, key stakeholders and IT management
• Recognize and leverage compliance advocates among senior IT leadership in order to help raise visibility to key compliance issues.
• Ensure good working relationships are maintained between IT SGC and IT Security teams, consulting with and informing team members openly and frequently
Maintaining technical and professional skill sets:
• Maintain an understanding of common industry best practices in regards to organizational models for risk management and compliance functions
• Maintain an understanding of the current project portfolio, including prioritization of projects, and how those projects may impact compliance
• Understand how new technologies employed at Gap may impact our compliance
• Maintain an understanding of current information security related laws, tools, and trends via membership in professional organizations
• Maintain an understanding of current retail trends to anticipate business drivers that may affect compliance
• Maintain an understanding of current technology trends, and how those may impact security or compliance
Leading the following process improvement efforts:
• Utilize quality standards such as COBIT, ISO 9001, ISO 27001, ITIL, etc. to evaluate our compliance programs and team processes. Make recommendations for improvement as needed
• Assist IT teams in the documentation of key controls and in interpreting compliance requirements, and how they apply, consulting with industry experts as needed (may include other IT Teams, Internal Audit, SOX PMO, External Auditors, Legal, HR and others)
• Ensure key processes are documented, reviewed at least annually for accuracy and improvement opportunities, and followed, as appropriate
• Hold regular retrospective discussions to identify lessons learned and implement improvements to address concerns
Leading the following strategic planning activities:

• Leverage understanding of retail and security developments to develop long term recommendations for addressing compliance requirements
• Contribute to a 3 Year Roadmap for the organization that accommodates updates in compliance and business requirements
• Deliver and maintain an IT Security Risk Profile to ensure IT management has the information they need in order to make decisions in addressing key IT Security risks

* 3-5 years experience leading IT compliance programs
* 3-5 years experience testing IT control effectiveness
* 3-5 years experience in project management
* Ability to manage staff who are not directly reporting to you
* Ability to deliver on goals in an environment that is ambivalent towards compliance, policy, and risk
* Ability to communicate effectively with all levels of management, translating technical risks into business terms that can be understood by executive management
* Ability to manage vendors
* Detailed knowledge of PCI, COBIT, SOX GCC, ISO 9001, ITIL, HIPPA, Privacy Acts, and other IT compliance frameworks
* Understanding of Gap Inc IT Security policies and standards
* Experienced with MS suite of tools
* Attention to detail, patience and flexibility
* Multitasking and time management
* Excellent verbal and written communication skills
* Certified Information Systems Security Professional (CISSP), Qualified Security Assessor (QSA), or Certified Information Systems Auditor (CISA) preferred
* 4 year college degree preferred