Oracle Regulatory Compliance Specialist 4 in Burlington, Massachusetts
Assists and supports the organization in complying with, as well as the ongoing preparation, testing and monitoring of conformance to, the requirements of government regulations and/or regulatory agencies.
Performs evaluation of internal operations, controls, communications, risk assessments and maintenance of documentation as related to regulatory compliance and recommends appropriate changes. Conducts and facilitates internal and external audits to identify, evaluate, disclose and appropriately remedy risks and deficiencies. Coordinates the preparation of and may prepare document packages for regulatory submissions from all areas of company as well as for internal and external audits and inspections. May serve as point of contact for interactions with regulatory agencies for defined matters. Support the creation of a comprehensive risk management and regulatory oversight program, including specifications for product and service design aligned with Oracle Software Security Assurance and Security Architecture. Review specifications. Develop training for GBU development, cloud services, services and operations teams on industry regulatory specifications applicable to their products and services. Execute risk assessments and evaluate risks to the business and develop risk mitigation strategies. Work with members of GBU development, cloud services, services and operations teams to incorporate applicable industry regulatory standards, Oracle security policies and customer-contractual obligations into GBU processes and standards. Coordinate industry and regulatory certifications, including managing certification vendors (e.g., PCI, HIPAA,HITECH, ISO, SOC2). Build security documentation and collateral for customers and internal users allowing security to be a differentiator in this GBUs. Build management level metrics and reporting for activities that are owned by the Risk Manager. Execute a vendor security program.
Leading contributor individually and as a team member, providing direction and mentoring to others. Work is non-routine and very complex, involving the application of advanced technical/business skills in area of specialization. . Ability to travel. 8 plus years experience. BA/BS or advanced degree preferred. 5-7 years work in governance and compliance for a large corporation. CISA, CISM, CISSP, CIPP desired. Strong knowledge of IT auditing and controls, preferable with SOX, SSAE 16 - SOC 1 & SOC 2, PCI compliance, NIST, DIACAP, FedRAMP, ISO 27001 & ISO 27002. Experience with 21 CFR Part 11 and HIPAA. Knowledge and understanding of the delivery process for validated systems; specifically Computer System Validation process or CSV. Have an understanding of security standards and risk management. Experience working in Information Technology, Cloud or managed hosting services. Excellent written and verbal communication skills. Ability to adjust and adapt to changing priorities in a dynamic environment. Technical acumen and the ability to understand and interpret technical specifications. Technical knowledge of Oracle Applications and Database and/or infrastructure components. Project Management skills.
Oracle is an Affirmative Action-Equal Employment Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability, protected veterans status, age, or any other characteristic protected by law.
Principal Regulatory Compliance Analyst
The SaaS Compliance team supports Oracle Cloud Application Services through audits, assessments or certifications performed by third party audit companies. The span of audit frameworks Services must adhere to include SOC, HIPAA, PCI, FedRAMP, ISO, C5, IRAP and many more. The SaaS Compliance Team is responsible for understanding Service’s control implementation, as well as obtaining, reviewing and maintaining audit evidence for large audit projects using a ticketing system. They are also responsible for being intimately familiar with policy and procedures to confidently speak to Auditors about control implementation on behalf of the Services during audits.
The successful candidate must be comfortable taking a leadership role in managing the entire lifecycle of vulnerabilities from discovery, triage, advising, remediation, and validation. They will also have a broad engineering experience of compliance implementation with engineering teams with enough knowledge of core engineering compliance and control frameworks to design/drive improvements into engineering as a proactive, governing process, reducing risk and improving alignment for future audits. Candidates must be knowledgeable in cloud architecture, systems, devices and tools to assess and explain evidence, support automation, and be prepared to educate others along the way.
INTERNAL CANDIDATES- All internal candidates would come over with current IC level for this position.
Primary responsibilities of this role include:
Partner with various teams to schedule and scope vulnerability assessments on systems or applications as required by corporate policies, standards or laws.
Manage vulnerability related program and tickets to ensure issues are remediated within proper timelines.
Drive consensus and influence stakeholders by using metrics and justify actions to be taken on open vulnerabilities.
Assess, prioritize and communicate risks and urgency to leadership and engineering teams
Effectively collaborate and communicate with Development, DevOps, SaaS Security, Executive Management and Lines of Business to report trends and status.
Manage the collection of audit evidence from internal teams via a ticketing system and share sites;
Organize large data sets in a ticketing system in a manner that enables efficient task resolution based on ticket categories and due dates;
Build positive relationships with a variety of cross functional teams and different levels of management on compliant control design and development;
Maintain open communication about any risks to audit completion or process improvements being made;
Other duties as assigned
Basic level knowledge of network, host-based, applications and data security methods, required security management technologies and implemented security controls.
Ability to interpret penetration and vulnerability scan reports.
Ability to prioritize impactful vulnerabilities and reduce noise often associated with vulnerability tools.
Understanding of how to triage vulnerabilities and validate tool findings before reporting them or taking action.
Demonstrated ability to use multiple avenues of communication (verbal, written, ticketing, messaging, etc.)
Ability to prioritize, manage, and deliver on multiple tasks simultaneously
Ability to partner with management in support of key initiatives and projects
Ability to operate effectively, resourcefully and flexibly within a dynamic, agile, and fast-paced environment
Proven analytical and problem-solving skills with curiosity and special attention to detail.
Information Systems Security, Cyber Security, Computer Science/ Engineering, Electronics Engineering degrees preferred
CISSP, CISA, CISM, CCSK, CCSP, QSA, PCIP or PMP certifications desired.
7 years relevant working experience on technical projects, preferably related to Vulnerability Management.
Experience with multiple technology domains including aspects of Windows, Unix/Linux and/or database administration, information security, software development or networking preferred.
Prior experience with PCI and FedRAMP certification management is a plus.
Knowledge of internal auditing, internal controls and risk management is preferred.
Job: *Business Operations
Title: Regulatory Compliance Specialist 4
Location: United States
Requisition ID: 210001CW
- Oracle Jobs