Information Security and Privacy Compliance ManagerMontréal, Quebec, Canada
Reporting to the Chief Information Security Officer, the Information Security and Privacy Compliance Manager will be responsible to ensure the company operates in compliance with applicable security and privacy-related standards and requirements, and will demonstrate such commitment both internally and externally by driving continued compliance efforts. This includes maintaining and reporting on security controls required by ISO 27001, ISO 27018, SOC 2, HIPAA/HITECH, Sarbanes-Oxley, FedRAMP and other regulatory requirements and security and privacy compliance frameworks.
More specifically, the Security and Privacy Compliance Manager will be responsible for continuous improvement of the company’s security and privacy compliance posture through leading and taking an active part in all information security and data privacy-related audits, certifications and compliance initiatives. This includes ensuring company’s products and services, and more specifically its SaaS offerings, meet and operate according to security and privacy company policies, customer commitments, contractual, legal and regulatory requirements, as well as adopted security and privacy-related frameworks. The Security and Privacy Compliance Manager will ensure that the required administrative, technical and physical controls are identified, documented, implemented, maintained and periodically tested to ensure they operate effectively and efficiently across the organization.
This position will respond to third-party audit requests, perform information security risk and privacy impact assessments, partake in testing of controls, follow-up on identified gaps and recommend improvements to reduce, contain and mitigate risks. The successful candidate will fill a hands-on global leadership role, leading by influence other company teams in their security and privacy compliance and certification efforts.
Key responsibilities and duties
- Lead and actively partake in company security and privacy certification and compliance initiatives, including ISO 27001/27018
- Map and document applicable security and privacy compliance requirements
- Monitor existing controls and conduct periodic audits and reviews to ensure their efficiency and operating effectiveness, to ensure that compliance requirements are met and to identify and report on potential issues
- Develop metrics to report on security and privacy compliance
- Lead the development and timely implementation of, and monitoring and reporting on required corrective action plans relating to security and/or privacy compliance issues or audit deficiencies or observations
- Develop and implement risk management strategies to avoid compliance issues
- Develop and maintain a vendor risk management program
- Collaborate with product management, product owners and project teams on security and privacy impact analyses and definition of security, privacy and compliance requirements relating to our products and services
- Collaborate with product management, product owners and architects in identifying, defining and prioritizing security-, privacy- and compliance-related product and operational improvements
- Advise technical professionals on the implementation of controls to meet security and privacy compliance requirements and best practices
- Actively support the sales process by ensuring prompt response to customer security and privacy compliance-related enquiries
- Discuss security and privacy compliance related issues with management and employees and provide employee training on compliance related topics, policies, or procedures, as required
- Act as liaison with, and provide assistance to internal and external auditors, and customers on compliance reviews and audit initiatives
- Maintain documentation of compliance activities to support audit requests
- Participate in the development, review and implementation of security and privacy-related policies, standards, guidelines and processes throughout the organization
- Bachelor’s degree in Information Systems, Accounting, Business or related field
- Minimum of 10 years of cumulated hands-on audit, security, privacy and compliance experience
- Professional certifications in the security, privacy, risk management and audit areas highly desirable: CISSP, CRISC, CISM, CISA, CIPP, etc.
- Strong leadership
- Ability to understand and translate business needs and compliance requirements into actionable technical and administrative controls
- Good understanding of security, privacy and compliance domains
- Excellent analytical skills and attention to detail
- Excellent communication & documentation skills
- Strong command of the English language
- Demonstrated initiative
- Ability to plan and deliver on commitment
- Good prioritization skills
- Strong problem-solving and decision-making skills
OneSpan offers the best of both worlds – a solid foundation that only an established global enterprise can provide, with the energy and creativity of an innovative start-up. In every role at OneSpan, you’ll contribute to the success of the most advanced security and e-signature technologies, and have opportunities to grow. You’ll continue your hands-on education through formal training and informal programs.