Information Security - Risk & Compliance Analyst
Postmates is looking for an Information Security Risk & Compliance Analyst focused on the evaluation of Postmates core services and infrastructure for compliance with the NIST Cybersecurity Framework (NIST CSF) and Sarbanes Oxley IT General Controls.
In this role, you will be responsible for evaluating and documenting internal controls, assisting with internal security reviews, and working with internal teams to address compliance and audit issues.
- Serve as a subject matter expert on industry standards and security compliance frameworks and standards such as SOX Section 404 IT General Controls, NIST 800-53, PCI DSS, GDPR, CCPA.
- Conduct security risk assessments of third-party vendor services.
- Support internal audits of Postmates Mobile and Web Applications for compliance with the NIST Cybersecurity Framework (NIST CSF), PCI DSS, GDPR, CCPA and Sarbanes Oxley IT General Controls.
- Interact with Postmates technology, and business stakeholders to understand risks critical to infrastructure, define potential business impact and establish corrective action plans.
- Prepare, validate and maintain security documentation including, but not limited to: Information Security Policies, Information Security Procedures, IT Compliance Corrective and Preventive Action Plans (CAPA’s), Privacy and Business Impact assessments (BIA/PIA), and Annual and Quarterly Compliance Audit Procedures.
- Prepare weekly reports for senior leadership on the status of Postmates internal controls.
- Knowledge in NIST and PCI DSS security standards.
- Knowledge in Information Security industry best practices.
- Experience with participating in compliance audits in a lead or supporting role.
- Experience in preparing compliance audit workpapers such as artifact request lists, standard test cases and test plans.
- Experience with managing and supporting an Enterprise Risk Management (ERM) Lifecycle.
- Experience with managing third-party supply chain risk.
- Familiarity with the use of Standard Information Gathering (SIG) for Third-Party Vendor Risk Assessments.
- Experience using Atlassian Jira for team workload assignment and prioritization through Scrum or Kanban project management.
- Experience configuring, managing and providing support for GRC or IRM tools such as Archer, ZenGRC or RSAM.
- Experience with developing compliance and security analytics/insights through Chartio or similar BI/analytics tooling.
- Ability to work effectively while prioritizing and juggling competing priorities in a fast-paced work environment.
- Competitive salary and generous stock option plan
- Medical, dental and vision insurance
- Whatever equipment you need to work efficiently and creatively
- Paid parental leave, vacation time, sick time, and volunteering time
- Catered lunches
- Impact-first work environment (no politics, no pandering)
- Huge company vision (we need you to build the future, not just maintain the status quo)
- Awesome office located in SOMA District just minutes from BART, Muni, AC Transit, and SamTrans