We’re seeking a highly motivated, collaborative and technically experienced Security & Compliance Engineer to join Expedia's Enterprise Risk & Security (ERS) group.
You understand cloud operational and security processes, effectively build, establish and communicate security controls, and support changes within the organization through effective development and testing. To be successful, you are organized, resourceful, possess domain knowledge on security compliance and have a “can-do” attitude.
You will be a key member of our security compliance team and play an important role in building controls adherence to the security control requirements. In this role, you will be required to demonstrate ability to analyze difficult problems, think out-of-box and provide pragmatic solutions and recommendations. Your knowledge and experience in NIST CSF, ISO 27001, ISO 27018, FedRAMP, PCI, SSAE 18, and SOC 2 will be an asset.
- Evaluates the design and effectiveness of common controls based upon industry best practice models (e.g. COBIT, ITIL) in accordance with compliance requirements.
- Performs development and testing activities to help measure and monitor compliance with company policies and procedures.
- Participates in external certification and drives Expedia partner audit events, including preparation, sample delivery, onsite facilitation and management response activities.
- Identifies gaps and prepares
- Assists in the analysis and definition of security requirements.
- Assists with ongoing maintenance and support of security controls
- Act as internal resource and subject matter expert on Expedia Security policy & standards
- Provide technical and operational support on security compliance for Expedia’s partner environment
- A minimum of 5+ years job related experience in compliance or technical engineering field
- Has worked in a regulated environment, preferably dealing with PCI, SOX, SOC 2 or other federally regulated examinations
- Demonstrated expertise managing a compliance project and effectively managing stakeholders
- Information Security Certification(s) with demonstrated work experience preferred. Desired certifications include: CISA, CISP, PCI, PMP (a plus)
- Knowledge and familiarity related to administering and securing operating systems, database platforms, endpoint security and network infrastructure is preferred.
- Experience with best practices related to network architecture & security controls (Routers, Firewalls, networking protocols, etc)
- Ability to recognize/analyze/and document deficiencies and articulate those deficiencies to both technical and non-technical key management personnel.
- Experience using a risk-based audit approach in evaluations of and recommendations for management processes
- An understanding of Information Security frameworks, processes, technologies, and practices, including NIST and ISO27xxx standards