Manager, Governance, Risk, Compliance - Audit

Governance, Risk, Compliance – Audit (GRC – A) Manager – Hybrid | Cary, North Carolina

Nice to meet you!  

We’re the leader in analytics. Through our software and services, we inspire customers around the world to transform data into intelligence – and questions into answers.

We’re also a debt-free multi-billion-dollar organization on our path to IPO-readiness. If you’re looking for a dynamic, fulfilling career coupled with flexibility and world-class employee experience, you’ll find it here.

About the job 

Be responsible for managing a team that bridges the gap between compliance and information security by supporting policy and standards development, risk assessments, audits, and overall security controls guidance. You will specifically focused on Compliance. You must have technical knowledge and/or experience in information security and the ability to communicate information security risk, controls, and mitigation strategy to SAS customers and SAS management at all levels of the business across the enterprise.

As a Governance, Risk, Compliance – Audit (GRC – A) Manager, you will:

• Maintain an understanding of compliance requirements, standards, guidance, and interpretations and/or best practices, including NIST 800-53, HIPAA, FedRAMP, IRS 1075, ISO 27001.
• Manage benchmark program of security practices against applicable regulations and standards (for ex: ISO 27001, HIPAA, IRS 1075, NIST 800-53, FedRAMP). 
• Responsible for the delivery and maintenance of compliance documentation provided to government sector customers, like System Security Plans, Plan of Actions and Milestones (POA&M), Continuous Monitoring Plan, etc.
• Manage team performing issue remediation tasks in response to audit findings, specifically Plan of Actions and Milestones (POA&M) delivered to government customer.
• Interface with customer sponsors and customer auditors to discuss security or IT hosting operations-related concerns during pre and post sales activities and collect and defend relevant evidence.
• Interface with regulators and external assessors to describe applicable security or IT hosting operations controls to obtain and maintain external certification
• Operate as a consultant and a leader, recommending changes to enhance security processes.
• Work with other information security teams globally, helping to provide a consistent approach to governance and compliance activities.
• Effectively communicate, facilitate, present, and train both technical and non-technical small and large audiences, regarding SAS Cloud and security requirements and procedures.
• Use of the GRC tool for managing compliance profile, such as managing continuous monitoring indicators, build reporting dashboards, tracking of issue remediation.
• Provide thought leadership regarding compliance, audit and/or security requirements within regulated markets (heavily focused on government sector requirements)
• Participate in security investigations and compliance reviews, as required by contract or regulation.
• Provide final review of security contract terms and ensure alignment to policies and processes.
• Interface with customer attorneys and security officers to discuss/negotiate security or SAS Cloud operations-related concerns during pre and post sales activities.
• Provide final review of responses to RFP and security questionnaires.
• Continuously improve the Information Security Management System (ISMS) / Quality Management System (QMS), including SAS security policy and process development and updates, while ensuring compliance with regulations and guidance.
• Identify and recommend cost effective improvements to security practices while maintaining compliance to required standards and regulations.

Required Qualifications

• Bachelor's degree in Business, IT, Computer Science, Project Management  or related  field
• 4-8 years of functional experience in project management, management consulting, IT, audit/compliance or related field.
• Experience in a regulated (specifically, government) industry (may be concurrent with the above functional experience).
• Understanding of regulatory standards (ex: FedRAMP,  NIST 800-53, IRS 1075, CJIS, HIPAA).
• Knowledge and experience with best practices/standards (ex: COBIT, GAMP5, ISO 27001). 
• US Citizenship required
• You’re curious, passionate, authentic and accountable. These are our values and influence everything we do.

Preferred Qualifications

• Use and/or implementation of a GRC tool (ex: ServiceNow, Archer, Teammate, Thompson Reuters)
• Management consulting experience
• Experience with ServiceNow issue management ticketing system
• Auditor or security certification (ex: CISA, IIA, CISSP) and/or training
• SAS software implementation experience or IT hosting experience

World-class benefits  

Highlights include...

• Comprehensive medical, prescription, dental and vision plans.
• Medical plan options include…
  • PPO with low annual deductible and copays.
  • HDHP combined with a health savings account with a contribution from SAS (no access to on-site health care center).
• Onsite Health Care Center (HQ) that’s free to employees and family members enrolled in the PPO plan. There’s a pharmacy too! Not local to HQ? The pharmacy will ship prescriptions for no additional charge!
• An industry-leading 401k plan.
• Generous time away including vacation time, a variety of paid holidays, and our much-loved U.S. Winter Wellness Break between December 25 and January 1.
• Volunteer Time Off, parental leave and unlimited paid sick days.
• Generous childcare benefits for all full-time employees.

Diverse and Inclusive  

At SAS, it’s not about fitting into our culture – it’s about adding to it. We believe our people make the difference. Our diverse workforce brings together unique talents and inspires teams to create amazing software that reflects the diversity of our users and customers. Our commitment to diversity is a priority to our leadership, all the way up to the top; and it’s essential to who we are. To put it plainly: you are welcome here.

Additional Information

To qualify, applicants must be legally authorized to work in the United States, and should not require, now or in the future, sponsorship for employment visa status. SAS is an equal opportunity/Affirmative Action employer. All qualified applicants are considered for employment without regard to race, color, religion, gender, sexual orientation, gender identity, age, national origin, disability status, protected veteran status or any other characteristic protected by law. Read more: Know Your Rights. Also view the Pay Transparency notice.

Resumes may be considered in the order they are received. SAS employees performing certain job functions may require access to technology or software subject to export or import regulations. To comply with these regulations, SAS may obtain nationality or citizenship information from applicants for employment. SAS collects this information solely for trade law compliance purposes and does not use it to discriminate unfairly in the hiring process.

SAS only sends emails from verified “sas.com” email addresses and never asks for sensitive, personal information or money. If you have any doubts about the authenticity of any type of communication from, or on behalf of SAS, please contact Recruitingsupport@sas.com.

#LI-MC1