This is an exciting time to join Shutterfly's Information Security team. In this position you will be an integral part of advancing the company's enterprise Information Security Program. The Compliance Analyst will manage, measure, operationalize and communicate a myriad of compliance initiatives across the organization, including but not limited to HITRUST Certification, SOC2/Type II Certification, PCI, CCPA, GDPR, PIPEDA, HIPAA and others as relevant and applicable. The Information Security Compliance Analyst will execute projects related to information security compliance, risk management, third party risk privacy support, policy evolution, and security awareness support. The analyst will contribute to the overall advancement of Shutterfly's Information Security Governance Risk and Compliance (GRC) capability.
The Compliance Analyst will have a foundational level of experience enabling them to understand security compliance fundamentals, how to properly test controls/gather evidence, and demonstrate confident familiarity of industry frameworks such as ISO 27002 and NIST CSF for information security and privacy. This individual contributor will be tasked with executing compliance assessments, evidence gathering, controls testing, crafting risk memos, and engaging the company GRC Platform. The analyst will be responsible for communicating risks and context effectively across all audience types including line-level employees, technologists, and executive leaders.
Your primary duties and responsibilities will include:
Engage control owners (of varying information security acumen & expertise) and key stakeholders across the organization to collect and test evidence and assess compliance to various compliance requirements (e.g. HITRUST, SOC2/Type II).
Navigate and execute through an evolving Information Security Compliance Management program and recommend (and at times, be asked to drive) improvements.
Identify area(s) of risk through gathering facts and partnering with other experts across the company, escalating issues, risks, and problems to leadership as needed and as appropriate.
Work closely with Information Security Architecture, Engineering, and relevant operational teams to gather data and insights leading to holistic risk and compliance approach.
Communicate information security and compliance risks to team leadership, craft risk memos for leadership/executive management to ensure proper awareness and decision-making. In addition, maintain and foster relationships and trust with key partners throughout the company.
Maintain compliance and risk management initiatives in a GRC platform such as Archer, ServiceNow, LogicGate, Tableau or others.
Contribute security inputs to metrics team for periodic reporting and insights.
As directed, conduct periodic internal assessments for security risk and compliance.
Provide consultation to business units and technology teams on security best-practices and ongoing requirements or where/if consultation needs exceed your expertise, redirect to the right individual(s) on the team.
Partner with Privacy, Legal, Procurement, Shutterfly Business Solutions (SBS) and other partners to ensure a holistic enterprise Security Compliance Approach
Proactively stay informed of industry and media research to keep current of the latest security issues, threats, and technical capabilities.
Contribute to and champion enterprise Information Security Awareness efforts upon request.
1-3 years of Information Technology and/or Information Security experience focusing on compliance assessments, risk assessments, and/or technology audits
Demonstrated familiarity of a broad range of technical concepts: logical access control, network security, encryption, application security, and privacy
Strong organizational skills with ability to thrive in a sense-of-urgency environment, leveraging best practices, and approaching any problem as a team-player with a can-do attitude
Strong written and verbal communication skills and ability to interface with all levels of business and executive leadership
Familiarity of compliance frameworks such as PCI, SOC2/Type II, HIPAA, HITRUST, CCPA, GDPR and industry frameworks including ISO 27001/2, NIST CSF, etc.
Bachelor of Science and/or Master's in CIS/MIS/CS/CE, Engineering/Technology or related field or equivalent experience/training
Experience with interpreting results of scanning tools such as Qualys or Nessus as it pertains to documenting information security risk(s)
Information security consulting experience or substantial cross-functional responsibilities.
CISSP, CISA, CISM, GIAC or equivalent, proven experience and desire to achieve one of more of these certifications in the near future.
AWS Cloud Practitioner Certification and/or desire to achieve this certification within 6 months of hire