Job Description

About The Role:

Not only do you cross all your “t”s and dot all your “i”s, you know how to count them, where to find them if they’re missing, and what happens if they don’t get found. You’ll help teams being audited with their data collection activities and deliver results for successful audits. You will be a part of the team responsible for making sure that the data necessary for Sterling to pass its technology audits is up-to-date and accurate. You will work with multiple teams across the business to collect audit evidence and deliver metrics associated with information security controls and operations.

This Is What You’ll Do:

Collect and track all evidence required for Sterling’s SOC 2 audits and assist with the collection of ISO 27001 evidence.
Perform data analysis using scripting and several database query languages.
Build dashboards, status reports, and evidence documentation, and optimize evidence collection processes through automation.
Work with teams across the organization and with internal and external auditors to provide timely reports of evidence and upload evidence into tracking systems.
Improve the technology risk management processes within the business through engagement with business stakeholders.
Complete technology risk assessments for external vendor and client relationships, and work with the business to develop risk mitigation strategies.

This Is The Job For You If You:

Want a hands-on role with an organization that treats compliance, privacy, and security as a core part of the business.
Understand the controls and processes associated with SSAE SOC 2 and ISO 27001:2013 audit programs.
Are experienced with data collection and analysis and reporting, including spreadsheet data analysis, database query skills, and operating system scripting skills.
Have worked with Global Risk and Compliance software tools and can develop and build technology audit programs and evidence collection plans.
Are passionate about the details and can communicate the importance of timely and accurate data to control owners.
Can self-direct and remain productive in a virtual-first company.

This Is What We're Looking For:

Demonstrated history of experience and success with oversight and evidence collection associated with SSAE SOC 2 and ISO 27001:2013 technology audit and metrics programs.
Knowledge of the technology and security aspects of additional audit frameworks, such as NIST, FedRAMP, HITECH, or CJIS and some SQL.
An extremely strong ability to negotiate and communicate with auditors and business stakeholders to ensure accurate scoping, accurate results, accurate data acquisition, and timely delivery.
A strong 5+ year background with Information Security and Risk Management, through a combination of work experience and relevant education.

Valid through: 3/10/2021