Job Description
This role is responsible for establishing, implementing, and maintaining the organization's information security and compliance posture, with a primary focus on achieving and sustaining industry certifications. The specialist will handle the operational execution of compliance requirements, allowing the DevOps team to focus on core infrastructure tasks.
[What you'll do]
I. Compliance and Governance Management
- Policy and Framework Development: Develop, implement, and maintain the Information Security Management System (ISMS) policies, procedures, and internal controls in alignment with organizational objectives.
- Certification Leadership: Lead and drive the process for obtaining and maintaining key certifications, including ISO 27001 and SOC 2 Type II, by formalizing and documenting all required security management processes.
- Regulatory Monitoring: Monitor and stay informed of new industry regulations, laws, and best practices (e.g., GDPR, PCI DSS) to ensure proactive compliance and update internal policies accordingly.
II. Audit and Risk Management
- Vanta Compliance Management: Administer the Vanta platform, including connecting system integrations, reviewing failing checks, and driving the resolution of compliance gaps identified by the tool.
- Risk Assessment and Remediation: Conduct regular internal audits, security assessments, and risk assessments to identify vulnerabilities, non-compliance issues, and risks related to accounts, network, and devices.
- Audit Support: Coordinate and serve as the primary liaison for internal and external audits (including communications with auditors like Vanta), ensuring all required evidence, documentation, and remediation plans are prepared and executed in a timely manner.
- Action Tracking: Continuously monitor compliance initiatives, managing action plans and following up with relevant stakeholders to ensure mandated actions and corrective measures are completed.
III. IT Operations and Security Controls
- Access Control: Define and enforce security controls for identity and access management, including confirming SSO coverage, mandating Multi-Factor Authentication (MFA) for critical systems, and running privileged access reviews.
- User Lifecycle Management: Document, implement, and validate the Joiner, Mover, and Leaver (JML) processes to ensure controlled user access throughout the employee/contractor lifecycle.
- DevOps Collaboration: Work closely with the DevOps teams and Dev teams to integrate security and compliance requirements directly into the system development lifecycle (SDLC), change management, and infrastructure as code.
- Infrastructure Assurance: Ensure all critical systems adhere to security best practices regarding logging, monitoring, secrets management, vulnerability scanning, patch management, and backup/restore validation.
IV. Coordination and Reporting
- Documentation: Maintain comprehensive, up-to-date documentation for all IT compliance activities, policies, and internal controls.
- Training and Awareness: Implement and coordinate security training and awareness programs to ensure employees and third parties understand and adhere to information security policies and their ongoing responsibilities.
- Reporting: Prepare accurate compliance reports, key performance indicators (KPIs), and status updates for management to communicate the organization's compliance posture and cyber-security risks.
[Requirements]:
- At least 3 - 4 years of experience in equivalent or related roles.
- Strong communication skills in English, both written and verbal, for effective collaboration.
- Experience with compliance automation and audit readiness tools, specifically Vanta.
- Familiarity with access control platforms and standards, including JumpCloud and SSO.
- Strong background in device security and applying controls across corporate IT infrastructure.
- Ability to work across teams (Vietnam, Canada, US) to guide them through implementing IT and security controls and applying compliance frameworks.
[Why You'll Love Working Here]
- All members are encouraged to raise their own ideas to grow.
- Hybrid working allowed
- Full salary during the probation period
- 13th month salary
- Annual Salary Review
- Premium Healthcare Insurance
- Annual Health Checks
- Annual company trip
- Be rewarded for achievements that more than expected
- Paid time off: 18 days per year
- Happy hour every Friday (4pm - 5pm)
- Office is an open space where has no private room for C-level executives. Freestyle dress code. Flexible working hours.
