The Information Security and Compliance Manager is an integral member of Sage Intacct's security team which has overall information security responsibility for the enterprise. This position can be described as a very broad-based position, with a strong focus on audit, compliance, and risk management. We are a small, but effective team, therefore in addition to managing the audit and compliance function for the organization, the candidate will also be exposed to, and be expected to contribute to other areas of Information Security with strong collaboration across product, operations, engineering, IT, Sage Corporate and other departments to ensure compliance with policies and other activities which impact the confidentiality, integrity, and availability of our application, infrastructure, and business processes. 

Responsibilities:

• Managing all compliance activities for Sage Intacct. This includes, but not limited to SSAE 18, SOC 2, PCI, HIPAA, ISO 27001, and participating as needed in privacy (CCPA, GDPR)
• Reviewing and preparing Statements of Work, scoping, evidence collection and review, fostering relationships with key control owners, and when needed negotiating with auditors on any exceptions/findings
• Managing the compliance calendar to ensure that required regular audited activities are completed. This includes scans, pen testing, access reviews, patching, risk assessments, policy updates, DR / incident response exercises, firewall reviews, etc
• Owning the technology audit and risk management function to include vendor management, audits of high-risk processes and applications, maintaining risk registers, and driving remediation of identified risk areas
• Limited deployment, administration, and operation of security solutions such as vulnerability scanning and pen testing tools, log aggregation & analysis tools, data loss prevention systems, intrusion prevention devices, and other tools as necessary
• Maintain up-to-date detailed knowledge of the information security industry, including awareness of new or revised security solutions, updates to compliance requirements, improved security processes, and the identification of current and new attacks and threat vectors especially as it relates to Sage Intacct and its customers
• Provide recommendations and limited administration of security products and services to include firewalls, encryption technologies, patching, certificate management, anti-virus, email security controls, intrusion detection/prevention, identity, and access management, and security scanning and assessment tools
• Participate in architectural reviews of business systems, integrations, internal processes; provide recommendations and drive resolution of any required security controls
• Conduct security audits and assessments, analyze results, identify remediation activities and/or compensating controls, drive, and track remediation efforts to completion
• Respond to customer or other third-party inquiries related to Sage Intacct's security program
• Participate as a member of the Incident Response Team by conducting forensic analysis and troubleshooting to assist in the containment and remediation of security incidents
• Identify security issues and provide the appropriate resolution or make recommendations to Sr. Management on how to resolve or identify compensating controls related to security findings

Requirements:

• Bachelor's degree in an information technology discipline or equivalent IT experience required
• Relevant IT or security certifications including CISSP, CISM, CRISC, CEH or SANS certs are expected
• Extensive experience (7+ years) in information security audit, compliance, and risk management
• While this position is primarily responsible for managing compliance, there is an expectation that the candidate has some knowledge of the following: security products and technologies; security engineering/architecture, networking protocols, security analysis, and investigations, Linux system administration
• Understanding of malware kill chain and pervasive threat attack methods and remediation
• Experience with Sumo Logic, Splunk, Elastic Search, Snort, Tripwire, Wireshark, Burp Suite, or other analytics tools a plus
• Experience with Cisco ASA and Palo Alto Firewalls a plus
• Programming experience in scripting languages such as Windows PowerShell, Python, Perl, Bash, etc., highly desirable
• Ability to multitask, prioritize, coordinate, work well under pressure and meet deadlines
• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to both technical and non-technical audiences
• Must be a critical thinker with strong problem-solving skills and a "can-do" attitude
• Must have experience with MS Office products with a strong working knowledge of Excel Pivot Tables and Charts
• Must stay up to date with current vulnerabilities, attacks, and countermeasures
• Must be able to and willing to work independently with minimal amount of supervision