Responsibilities
- Lead end-to-end PCI DSS compliance, including CDE scoping and reduction, control implementation/validation, and audit management (RoC/SAQ, QSAs).
- Lead and support SOC 2 Type II attestation initiatives, including TSC mapping, evidence collection, control testing, and remediation tracking.
- Support and maintain ISO 27001 ISMS, including risk assessments, SoA, internal audits, and continuous improvement activities.
- Develop and enforce security policies, standards, and procedures aligned with PCI DSS, SOC 2, and ISO 27001.
- Partner with Security, Platform, and Application teams to ensure controls are technically implemented and continuously operating.
- Collaborate with Security Architecture to review and validate security exceptions and ensure compliance alignment.
- Track, review, and periodically reassess approved exceptions to minimize long-term risk exposure.
- Own the Third-Party Risk Management (TPRM) program, including vendor tiering, risk assessments, and security reviews.
- Evaluate vendor compliance posture, including PCI DSS requirements, and define remediation or contractual controls.
- Design and manage scalable GRC workflows for risk assessments, vendor reviews, evidence management, and control testing.
- Perform business impact analysis and support BCDR planning and tabletop exercises.
- Prepare and present risk, compliance, and third-party security reports to senior leadership.
- Translate technical risks into business-impact language to support decision-making.
Qualifications
- Bachelor’s degree in Information Systems, Computer Science, Cybersecurity, or a related field.
- 4.5+ years of experience in GRC, risk management, or compliance, with exposure to technical security controls.
- Strong hands-on experience with PCI DSS, including audits, CDE scoping, and control validation.
- Working knowledge of SOC 2 Type II Trust Services Criteria and audit processes.
- Experience implementing and maintaining ISO 27001 ISMS, including risk assessments and Annex A controls.
- Hands-on experience with third-party vendor risk assessments, tiering, and remediation tracking.
- Ability to interpret technical security concepts such as cloud architecture, network segmentation, access controls, and vulnerability reports.
- Strong analytical, documentation, and stakeholder communication skills.
- Experience working in cloud-native or SaaS environments.
- Certifications such as IPCIP, QSA, CISA, ISO 27001, TPRA or equivalent.
- Experience with GRC tools such as Vanta, or ServiceNow GRC.
- Knowledge of data protection and privacy regulations such as GDPR and CCPA.
- Familiarity with NIST, CIS Controls, or similar frameworks.
- Experience in SaaS environments with PCI-in-scope systems.
🇧🇷 Essa vaga exige inglês. Você está pronto?
A DevSpeak Academy prepara desenvolvedores brasileiros para conquistar vagas internacionais. Domine o inglês técnico com professores que entendem o mundo dev.
Conheça a DevSpeak Academy