Platform.sh is a groundbreaking cloud hosting and development tool for web applications. We’re a European VC-Backed startup with a host of blue-chip Enterprise clients and a string of awards and grants (including €2m from the EU Horizon 2020 program). Though young, we have become a major player in ecommerce, with actors such as Magento building their cloud solution on top of us.
We run a tight ship and Platform.sh was built from the ground up to be robust, and secure and we take great pride in protecting the privacy of our customers, and their users.
We are now looking for a new member of the team to take full responsibility of our compliance efforts, both in terms of security and privacy. This is going to be an ambitious project… because like everything else we do, we want to automate the h** out of this problem too.
Your mission, should you accept it, would be to work with Product Engineering, the Infrastructure People, and the operations people to devise the plan that will allow us to keep our current velocity, while implementing the controls and procedures needed to meet multiple, stringent compliance frameworks.
We are a fast moving company, and we want to stay that way. We have a complex topology (we deploy on multiple clouds, and we are a fully distributed company). It will be hard enough to implement this fast. It will be harder to make sure we stay fast afterwards. You will work with brilliant engineers, and together your job will be to produce the abstractions, the code and the processes that allow to do compliance right.
Knowledge of cloud technologies and constraints will be greatly appreciated. Strong PCI-DSS experience is required as is experience with implementing other norms such as SOC1/2 or HIPAA.It would be great if you have knowledge of the upcoming GDPR.
Duties & Responsibilities
- Develop and maintain internal controls best practices initiatives by proactively exploring control deficiencies associated with systems and processes throughout the Company. And automating those.
- Ensure internal controls and regulatory compliance across the organization is being met following a risk-based approach that balances efforts with risks. And automating those.
- Monitor and maintain an effective internal control environment across the compliance impacted business units within the company in accordance with established company policies and procedures. . And automating those.
- Coordinate audit-related tasks to ensure the readiness of managers and their teams for audit testing and facilitating the timely resolution of any audit findings. . And automating those.
- Provide lead role in managing the company’s PCI-DSS Program and annual assessments with external audit firm. . And automating those.
- Maintain PCI Level 1 Service Provider Certification across multiple complex business units to contain scope, reduce risk, and meet assessment timelines
- Support annual SSAE-18 audit activity across multiple business units with external audit firm to maintain annual SOC1 and SOC2 reporting requirements on controls relevant to security, availability, processing integrity, and confidentiality
- Support ISO27001 certification and assessment activity across multiple office locations
- Support and mature HIPAA compliance program
- Provide advisory role during new client onboarding or acquisition projects to assess security requirements and controls to ensure that security and compliance controls are implemented as planned
- Support additional internal and external compliance activity
- Improve methods of capturing and presenting status of key compliance requirements in order to provide leadership with clear, concise data to enable appropriate decision making
- Report and prepare presentations on the levels of IT compliance risk and control effectiveness to key stakeholders such as IT-business unit management, senior management, and internal/external auditors
- Promote, support, and implement solutions that reduce the total cost of internal controls and ongoing compliance activity
- Support security awareness and training initiatives to promote the success of company-wide IT compliance efforts
- Monitor the ongoing status of compliance remediation activity to identified risks from internal and external audit/compliance stakeholders
- Recognizes and identifies potential areas where existing policies, standards, and procedures require change
- Makes recommendations regarding scope, timeline, budget changes, and/or improvements
- Occasional travel is required to support compliance activity across multiple locations
- Possession of standard certifications in Information Security or Compliance (CISSP, CISA, CISM, CRISC, GIAC, PCIP, ISA). Former PCI QSA experience a plus
- Significant experience in applying PCI-DSS and SSAE-16 audit requirements to business and technical environments while providing a service oriented leadership approach to maintaining compliance
- Strong working expertise with Information Security, Compliance & IT Management Standards; ISO27001, PCI-DSS, SSAE-16 SOC1 & SOC2, SOX, HIPAA, HITECH, Safe Harbor, FISMA, COBIT, COSO, & ITIL
- Experience supporting security controls, compliance and audit activity within a service provider organization with multiple technologies.
- 7+ years experience in related information security risk and compliance
- Experience with software development practices and agile methodologies
- Proficiency in performing IT risk, business impact, control and vulnerability assessments
- Experience in developing, documenting, and maintaining security policies, processes, procedures, and standards
- Knowledge of network infrastructure, and the associated network protocols and concepts
- Demonstrated ability to apply IT-related knowledge and experience in solving compliance issues
- Strong project management and communication skills (written and oral) with internal organizations and external/internal auditors
- Advanced written and verbal communication and presentation skills
- Excellent leadership, teamwork, and client service skills