Compliance and Information Security Manager
Compliance and Information Security Manager
Based in Seattle, Subsplash is an exciting award-winning team of 100+ mission-driven people who are committed to our core values of humility, innovation, and excellence. Founded in 2005, we’ve remained family owned and operated while pioneering the market with the first ever church mobile app. Since then, we’ve been working together to build The Ultimate Engagement Platform™ for churches, Christian ministries, non-profits, and businesses around the world. We find excitement in serving our 9,000+ clients, creating impactful products, and delighting the 40 million real people who use our platform every day. Subsplash has won awards for best mobile experience, been voted top 100 Washington's Best Workplaces by the Puget Sound Business Journal, created some of the most downloaded apps of all time, and built enterprise software for world-class brands like XBOX, Microsoft, Samsung, Expedia, and Cisco; yet, at the end of the day, we love making a lasting impact and a difference in our world.
Working at Subsplash is more than just a job; we are a team of people who are courageous, inventive, and passionate about doing meaningful work every day. Don’t take our word for it—head to Glassdoor and see for yourself!
About Our Team
The Subsplash Finance team is a growing team focused on keeping the company running efficiently and effectively. We are detail oriented, analytical number crunchers, and love improving processes (not to mention a good spreadsheet!). We rely on each other’s areas of expertise across finance, accounting, and data analysis. If you enjoy working with teams of positive, high-energy people who are experts in their domain, this just might be the right fit for you!
About the Role
As the Compliance and Information Security Manager, you will report to the VP of Finance. In this role, you work as a subject matter expert (SME) at Subsplash as you advance our security program across the entire company while understanding the importance of excellent interpersonal and communication skills. In this role, you will bring together people, policy, and tools to help us continue to meet our security commitment with confidence. This position will focus on all aspects of security risk management and data with a particular emphasis on creating an ICF (integrated compliance framework) to impact Subsplash IS infrastructure. As the CISM, you will continuously review our security posture, analyze our systems against industry best practices, accept guidance from contracted experts, vendors, security tools and regulators.
Top 4 outcomes in year 1:
- Build & Improve the PCI & GDPR compliance, Privacy and Security Program
- Design & Implement an ICF related to privacy, security, confidentiality and NIST
- Create and Manage all Incident Response activity
- Establish Employee Training on Compliance and IS
- Issue Management/Risk Remediation: Works with Stakeholders, including Control Owner's, Control Performers and other Departments to test, track, report, and oversee compliance gap remediation.
- Design and maintain an Integrated Compliance Framework (ICF): The CISM maintains the ICF content which enables a “test once-comply many” approach. Armed with current emerging standards and regulations, the CISM will gather new requirements from a variety of sources, analysis and cross-mapping to existing controls, stakeholder sign-off and updates to the ICF.
- Continuous Compliance: The CISM also tracks, reports and advises internal clients on incorporating controls and delivery of evidence in their day-to-day operations so that execution of the controls becomes business as usual.
- Promotes and supports a culture of compliance, risk avoidance and corporate accountability throughout the organization.
- Defines and implements a risk-based approach to identifying, monitoring, recommending mitigating controls, measuring and reporting various types of security risk and compliance issues related to financial reporting, external vendors and various service providers complying with NIST..
- Provides governance for the identification, validation and remediation of information technology controls required by Sarbanes Oxley (SOX), Payment Cardholder Information Data Security Standards (PCI DSS), Personally Identifiable Information (PII), and other regulatory compliance frameworks. Ensure successful audits of all compliance programs.
- Manage all appropriate vendor relationships in line of business on self-assessments, third party QSA lead PCI Assessment as well as GIS lead PCI Assessments.
- Possess a deep and clear understanding of all aspects of risk management, data compliance, information security strategy, technologies, and tools plus quality knowledge of applicable local and federal information technology laws.
- 5+ years of proven experience developing and executing security risk management and compliance programs in a SAAS or online payment environment; developing and producing security and compliance metrics for Sr. Management complying with NIST
- Solid understanding of assessing and designing internal controls, risk management practices, and security governance programs in an enterprise-level environment.
- Solid understanding of IT systems, applications, networks, and databases with experience in providing technical advice appropriate to the knowledge of risk and cost-effective delivery of essential security services.
- Solid understanding of security controls across all security domains such as access management, encryption methods, vulnerability management, network security, etc.
- Proven experience developing and submitting audit and compliance reports to governing bodies, legal entities, and/or external authorities.
- Working knowledge of the National Institute of Standards and Technology (NIST), Payment Card Industry Data Security Standard (PCI DSS) compliance obligations and GDPR compliance obligations.
- Willing to become or already certified in one or more of the following areas: ISA, QSA, CIPP, CISSP, CISA, and CISM. Be willing to obtain and maintain security and privacy related certifications that would benefit the company.
- Experience in planning, organizing, and developing information technology policies, procedures, and practices.
- Excellent conceptual and critical thinking skills and sound judgment, with strategic orientation and ability to perform tactically, as required.
- Highly proficient in using Gmail, Google Drive, and related Google Apps.
- Proficient or ready to learn the following: Tableau, Asana, Slack.
Generous Paid Time Off, Medical Coverage, Dental Coverage, Vision Coverage, 401k, Free Smoothies and Snacks, Public Transportation Subsidy.
Note: Employment with Subsplash is contingent upon satisfactory proof of employee’s right to work in the U.S., as required by law and upon completion of a background check and;
Employment with Subsplash is considered “at will,” meaning that either the company or the employee may terminate the employment relationship at any time without cause or notice.