Security Compliance Analyst
Actalent · Morrisville, NC · 6 days ago
HybridLegal$50–$55/hrContract
Responsibilities
- Own and drive the full lifecycle of ISO and SOC 2 Type 2 audits, from initial planning through final reporting.
- Define detailed audit requirements and translate control language into clear, actionable technical requests for engineering teams.
- Request, collect, and organize evidence from technical owners, ensuring completeness, accuracy, and audit readiness.
- Review and validate the integrity and sufficiency of technical evidence, identifying gaps, inconsistencies, or invalid submissions.
- Track remediation activities for identified gaps and follow up with stakeholders to ensure timely closure of issues.
- Serve as the primary liaison with external audit firms, speaking the language of auditors and effectively defending the control environment.
- Create and maintain an annual audit calendar, including timelines, milestones, and preparation activities for audit windows.
- Cover coordination pre-audit reviews, walkthroughs, and readiness assessments to ensure the organization is well-prepared for audits.
- Utilize AI and large language models to automate evidence collection, parse system logs, draft control descriptions, and identify potential compliance gaps before audits.
- Apply a human-in-the-loop approach to AI usage by critically reviewing and validating AI-generated outputs for accuracy and completeness.
- Review technical configuration reports for infrastructure, networking, containers, and databases to determine whether settings align with secure configuration expectations.
- Research and identify appropriate secure configurations and control implementations for technologies not previously encountered.
- Clearly explain to engineers what specific evidence or configurations are required, using precise technical language rather than generic control descriptions.
- Collaborate with engineering and security teams to define and refine technical controls that align with ISO, SOC 2 Type 2, and other relevant frameworks.
- Communicate complex compliance requirements in clear, accessible terms to non-technical stakeholders across the organization.
- Push back constructively on auditors when appropriate, providing reasoned explanations and evidence to support the existing control environment.
- Contribute to the continuous improvement of compliance processes by identifying opportunities to streamline workflows and reduce manual effort through automation and AI.
Qualifications
- Proven, specific experience managing end-to-end ISO and SOC 2 Type 2 audits, including planning, execution, and final reporting.
- Baseline understanding of ISO and SOC 2 Type 2 frameworks and their associated control requirements.
- Experience running audits, with a preference for technology-focused auditing experience.
- Demonstrated ability to understand and assess technical controls in cloud and SaaS environments.
- Technical literacy in cloud platforms, with a particular preference for experience with AWS.
- Capability to read and interpret technical configuration reports and determine whether configurations meet secure standards.
- Experience using AI and large language models to streamline compliance and audit tasks, including evidence collection and analysis.
- A clear human-in-the-loop philosophy for validating AI output to ensure accuracy and reliability.
- Strong communication skills, including the ability to explain complex compliance requirements to non-technical stakeholders.
- Ability to understand and articulate detailed technical requests from engineers and translate them into compliance terms.
- Confidence and professionalism in pushing back on auditors when necessary, supported by clear evidence and reasoning.
- Comfort discussing and auditing SaaS infrastructure running on public cloud environments such as AWS, Azure, or GCP and private cloud environments.
- Familiarity with networking concepts and components, including firewalls, switches, routers, VPNs, and secure remote access.
- Understanding of containerized environments, including Kubernetes and Docker.
- Ability to research and determine appropriate secure settings and configurations for unfamiliar technologies.