- Principal Compliance position reports to the Information Technology Office (ITO) GRC Director within the Cyber Assurance (CA) Directorate’s Governance, Risk and Compliance (GRC) division.
- The ITO CA GRC Cyber Security Analyst – Principal Compliance position exercises significant judgment in executing job responsibilities and is responsible for assisting with the technical assessment of systems to include FAR, DFARS, FedRAMP, HIPAA and NIST controls.
- Coordinate assessment efforts and communications with internal IT Control Owners, wholly owned subsidiary management and internal and external Service Lines and Customer Groups performing on contracts supported by SOX or FAR /DFARS in-scope systems and their Program managers including senior management and their respective audit organizations.
- In addition to primary responsibilities identified below, the Principal Cyber Security Compliance Analyst will serve as a subject matter expert for all SAIC IT Technical Compliance consultations and guidance to ensure employees, suppliers, and customers are aware and understand FAR, DFARS, FedRAMP, HIPAA NIST, SOX and other technical compliance Security Standards/Controls specified under various IT governance and compliance models.
- This includes: Applications and Systems Development Security, Security Management Practices, Access Control, Security Architecture and Modeling, Telecommunications, Network Security, Cryptography (PKI), Operations Security, and Physical Security Controls, etc. Primary Responsibilities Cyber Security Analyst – Principal Compliance position successful candidate will develop and maintain constructive relationships with SAICs’ internal controls owners, regulators, industry associations and peer companies as it relates to IT Security Technical Compliance.
- Cyber Security Analyst – Principal Compliance position successful candidate will be required to serve as a leader and subject matter expert on various SOX, DFARS and other technical compliance IT enterprise projects and initiatives.
- Serve as a leader and security subject matter expert when consulting with SAIC’s covered DFARS IT contracts and associated in-scope Systems in coordination with senior members of the Contract Compliance & Operations team.
- Follow established guidelines to investigate possible Health Insurance Portability and Accountability Act (HIPAA) Act of 1996 complaints.
- Gathers, prepares, and summarizes relevant materials for use by attorneys and other legal counsel.
- Provide technical security responses in support of case files of new and existing complaints, legal research, indexes, and he security portion of tracked documents being sent to possible complainants.
- Serve as a leader and security subject matter expert on various SOX, DFARS and other technical compliance IT enterprise projects and initiatives.
- Serve as a leader and consultant for the development and on-going management of Policies, Procedures and Training for SAIC’s core FAR, DFARS, NIST, FedRAMP and SOX contract management processes (including pre- award activities, Organizational Conflict of Interest (OCI) management, contract award, contract modification and contract close-out) for US Federal, State & Local, Commercial and International contracts.
- Evaluate and conclude on internal auditor IT exceptions & findings.
- Monitor and provide input on emerging regulation and regulatory changes in the US Federal and State & Local contracting environment (including FAR, DFARS, Federal Agency Supplements, SOX, State & Local requirements and CAS); ensure SAIC’s Security Policies, Plans Procedures and Training for DFARS compliance remain compliant and up to date
- Lead the IT Security Compliance consultant function to ensure continued maintenance and improvement to SAIC’s security of FAR, DFARS and SOX in-scope IT Systems.
- Participate in the development, review and periodic certification of FAR, DFARS, FedRAMP, SOX and operational controls as it relates to SAIC’ Contract Management processes.
- Act as a subject matter expert for IT technical compliance on corporate initiatives, including merger & acquisition activities, process improvement projects and organizational development activities.
- Discuss findings and conclusions with internal and external auditors.
- Review and evaluate external auditor independent findings.
- Act as a conduit between internal auditors and external auditors.
- Facilitate meetings to ensure IT controls stakeholders are aligned.
- Attend various meetings: internal PMO meetings, PMO/ITS meetings, external audit meetings and internal audit briefings.
- Assist in remediation planning and prioritization.
- Review new and changed IT controls.
- Evaluate new system implementations including subsidiaries for IT control considerations.
- Develop manuals and guidance to assist departments with IT control related matters (e.g., CONOPS).
- Develop audit findings analysis reports.
- Other duties as assigned.
TYPICAL EDUCATION AND EXPERIENCE: Bachelors and nine (9) years or more experience; Masters and seven (7) years or more experience ; PhD or JD and four (4) years or more experience.
- A minimum of a Bachelor’s degree coupled with 7+ years of experience in IT compliance or auditing with an emphasis on SOX, DFARS, NIST and other control frameworks.
- Working knowledge of Security Standards/Controls specified under various IT governance and compliance models (NIST, ISO 27001&27002, ITIL, SOX, and DFARS/FARS).
- This includes: Applications and Systems Development Security, Security Management Practices, Access Control, Security Architecture and Modeling, Telecommunications, Network Security, Cryptography (PKI), Operations Security, and Physical Security Controls, etc.
- Experience working in a fortune 500 company or in an auditing firm where the responsibilities included: Developing audit committee materials and findings for public consumption.
- Evaluating and concluding on internal and external auditor IT exceptions & findings.
- Understanding of the ITGC Audit Conclude Framework for SOX 404, “A Framework for Evaluating Control Exceptions and Deficiencies” v3 2004.
- Understanding of Securities and Exchange Commission (SEC) Interpretive Guidance on Management's Report on Internal Controls Over Financial Reporting.
- Project management experience.
- Ability to understand and interpret IT technical environments for non-technical individuals.
- US Citizen and able to obtain a Top Secret Clearance