SAS Institute – Cary, NC
SAS believes in the whole employee experience. Meaningful work. Empowerment to make a difference that changes people’s lives. Dynamic work environments that foster innovation. And an award-winning culture that makes it all possible. We believe great ideas can come from anywhere. Whether you’re a university recruit, or an experienced professional ready for the next big challenge, SAS brings perks, passion, and the potential to grow. No limits.
IT Security Compliance Specialist, under limited supervision, will be responsible for supporting the IT Security and Compliance Program. The IT Security and Compliance Specialist will be responsible for information technology policy and standards development, updates and facilitation with internal departments. They will perform risk assessments to security standards such as National Institute of Standards and Technology (NIST 800-53), IRS 1075 and other security frameworks. The IT Security Compliance Specialist will also perform Plan of Action and Milestone (POAM) activities to track remediation efforts, complete security risk tracking and reporting, and Information Technology audit preparation and response.
The ideal candidate will be a self-starter and have an inquisitive, analytical mind that constantly looks for solutions to difficult problems. The Specialist must have the ability to convey technology and security concepts to management and ideally has technical knowledge and/or experience in security with a proficiency in a risk management framework with the ability to assess administrative and technical controls.
A successful candidate must be driven and goal-oriented with the ability to complete tasks with limited supervision within an evolving and entrepreneurial environment. The Security and Risk Compliance Specialist will work with other departments throughout SAS and must be detail-oriented to successfully manage multiple projects at the same time.
Knowledge Skills and Abilities
Perform as a lead for key compliance activities, including, but not limited to, IT Policies and standards, Supplier Security Qualification for third party relationships, risk assessments, audits, Security Incident Response and contract reviews for security compliance.
Lead compliance program/project initiatives, audits and benchmarking of security policies against best practices and standards, which may include ISO 27001, FISMA, IRS 1075, NIST 800-53, and other NIST special publications.
Conduct risk assessments.
Participate in security investigations and compliance reviews as required by customer requirements or internal or external audits.
Operate as a consultant, researching and recommending changes to enhance or streamline information security procedures.
Identifies and implements best security practices within SAS to improve efficiencies
Review hosting, security, and audit contract terms and ensure compliance to current policies and processes.
Help maintain the IT policy and standards document and updates, while ensuring compliance with regulations and guidance.
Interface with customer auditors to discuss security or IT hosting operations-related concerns during pre and post sales activities.
Assist with analysis, documentation, and training of remediation actions in response to audit findings. Focus is on pharmaceutical, banking and insurance industry requirements.
Effectively communicate, facilitate, present, and train both technical and non-technical small and large audiences, regarding hosting and security requirements and procedures.
Coordinate and assist with Continuity of Business/Business Resumption activities, including BR Plan maintenance, table-top exercise/testing, and Business Impact Analysis (BIA).
Coordinate response to complete RFP and security questionnaires.
Coordinate and manage efforts related to security incidents and provide support and assistance to the Security Incident Response Team as needed.
Must have the ability to work with little supervision, escalating issues, as appropriate.
Perform other duties, as assigned.
Create and help administer security training programs and practices.
Highly motivated individual with excellent organizational skills, detail oriented, with the ability to stay on top of a variety of commitments and deadlines; must be able to work independently and as a team to maintain workload, and report on problems or progress in a timely manner
Strong time management skills (schedules, timelines, and task prioritization) and ability to work with minimal supervision or guidance
Excellent communication, analysis and process flow skills are essential
Knowledge of and ability to use and influence organization’s policies, standards, and procedures guiding organizational processes
The ability to be flexible with others, to display tact and diplomacy, and to maintain a high degree of confidentiality
Understanding of best practices for information security and data privacy
Understanding of regulatory standards: FDA Part 11, PCI, FISMA/NIST 800-53, or IRS 1075
Knowledge and experience with best practices /standards: ITIL, COBIT, GAMP5, or ISO 27001
Knowledge of IT or quality auditor procedures and tools (not financial/accounting)
Excellent planning and organization skills
Strong time management and prioritization skills
Self-motivated and ability to work independently
National Institute Standards and Technology (NIST) 800-53
Regulatory Information Security Compliance as related to Federal Information Security Management Act (FISMA), HIPAA, IRS 1075,
Experience with ServiceNow issue management ticketing system
Bachelor’s degree and five years’ experience in new computer systems development, network management, or related field – OR – Associate’s degree in computer science and seven years’ experience.
Equivalent combination of education, training, and relevant experience may be considered in place of the requirements above.
To qualify, applicants must be legally authorized to work in the United States, and should not require, now or in the future, sponsorship for employment visa status.
SAS is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability status, protected veteran status or any other characteristic protected by law.
The level of this position will be determined based on the applicant’s education, skills and experience.
Resumes may be considered in the order they are received.
SAS employees performing certain job functions may require access to technology or software subject to export or import regulations. To comply with these regulations, SAS may obtain nationality or citizenship information from applicants for employment. SAS collects this information solely for trade law compliance purposes and does not use it to discriminate unfairly in the hiring process.