Compliance Analyst II, Governance, Risk & Compliance

About the Role 

We are looking for a GRC Compliance Analyst II who can lead the day-to-day commercial compliance efforts (SOC 2 Type 2, ISO 27001/17/18, PCI) and controls program at HashiCorp. We are looking for a self-motivated individual who thrives in a fast-paced environment, can seamlessly drive efforts across multiple projects, working with various stakeholders.

Security at Hashicorp is a remote team. While prior experience working remotely isn’t required, we are looking for team members who can perform well given a high level of independence and autonomy. 

In this role, your responsibilities will include: 

• Help oversee and mentor existing compliance analyst(s) 
• Lead the day-to-day activities of commercial compliance efforts, such as SOC 2 Type 2, ISO 27001/17/18 and PCI, including:
• Confirmation on scope
• Preparing control owners for external assessments 
• Prepare internal communications, including weekly status updates 
• Hosting walkthroughs and helping prepare and/or review walkthrough agendas
• Evidence collection, including detail review and analysis before sending to auditors 
• Monitoring and tracking control exceptions, if applicable, and help teams create remediation plans for gaps/audit findings
• Development of the system description, including working with relevant control owners for input 
• Preparation of ISO Scope documentation as well as Statement of Applicability (SOA) 
• Support the ISO Internal Audit performed by HashiCorp 
• Maintain and document the scope/boundaries of the compliance program (cloud accounts, repositories, Github teams, etc.) including updates, removals and additions. 
• Drive the maturity of HashiCorps Common Controls Framework by continuously maintaining
• Work with Engineering teams to automate manual tasks, including continuous monitor of controls and audit evidence collection
• Drive the initiation and completion of User Access Reviews (UARs) on a quarterly basis, overseeing existing compliance analyst(s) 
• Support internal readiness/gap assessments of new products being added to attestation and certification programs, as well as those products going into general availability. 
• Development of key metrics and compiling data on a quarterly basis 
• Support other compliance work as required including Security Awareness Training (SAT) monitoring for completion, and other Objectives and Key Results that the Compliance team is responsible for on a quarterly basis, annual review and refresh of the HashiCorp Security Policy and Business Continuity Plan, documentation of Security Policy Exceptions, etc. 

Must have qualifications

• Minimum of 5 years of related professional compliance and controls program experience
• Previous experience in a cloud environment, preferably AWS and/or Azure
• Advanced level knowledge in either SOC 2 or ISO 27001
• Experience leading external audits, working as the liaison between auditors and the business
• Comfortable working with both deeply technical and non-technical resources 
• Flexible in daily hours (e.g. willingness to work longer hours during end of quarter and peak periods, and audit) 
• Highly responsive 
• Ability to prioritize and track multiple projects and tasks in parallel

Desired Qualifications

• Experience working in a large, multi-cloud environment
• Deep understanding of common security compliance frameworks, attestations and certifications
• Previous experience at a technology or SaaS company in a similar role 
• Experience working with OSCAL 

#LI-Remote