About the Role

We are looking for a GRC Compliance Analyst II who can lead the day-to-day commercial compliance efforts (SOC 2 Type 2, ISO 27001/17/18, PCI) and controls program at HashiCorp. We are looking for a self-motivated individual who thrives in a fast-paced environment, can seamlessly drive efforts across multiple projects, working with various stakeholders.

Security at Hashicorp is a remote team. While prior experience working remotely isn’t required, we are looking for team members who can perform well given a high level of independence and autonomy.

In this role, your responsibilities will include:

• Help oversee and mentor existing compliance analyst(s)

• Lead the day-to-day activities of commercial compliance efforts, such as SOC 2 Type 2, ISO 27001/17/18 and PCI, including:

• Confirmation on scope

• Preparing control owners for external assessments

• Prepare internal communications, including weekly status updates

• Hosting walkthroughs and helping prepare and/or review walkthrough agendas

• Evidence collection, including detail review and analysis before sending to auditors

• Monitoring and tracking control exceptions, if applicable, and help teams create remediation plans for gaps/audit findings

• Development of the system description, including working with relevant control owners for input

• Preparation of ISO Scope documentation as well as Statement of Applicability (SOA)

• Support the ISO Internal Audit performed by HashiCorp

• Maintain and document the scope/boundaries of the compliance program (cloud accounts, repositories, Github teams, etc.) including updates, removals and additions.

• Drive the maturity of HashiCorps Common Controls Framework by continuously maintaining

• Work with Engineering teams to automate manual tasks, including continuous monitor of controls and audit evidence collection

• Drive the initiation and completion of User Access Reviews (UARs) on a quarterly basis, overseeing existing compliance analyst(s)

• Support internal readiness/gap assessments of new products being added to attestation and certification programs, as well as those products going into general availability.

• Development of key metrics and compiling data on a quarterly basis

• Support other compliance work as required including Security Awareness Training (SAT) monitoring for completion, and other Objectives and Key Results that the Compliance team is responsible for on a quarterly basis, annual review and refresh of the HashiCorp Security Policy and Business Continuity Plan, documentation of Security Policy Exceptions, etc.

Must have qualifications

• Minimum of 5 years of related professional compliance and controls program experience

• Previous experience in a cloud environment, preferably AWS and/or Azure

• Advanced level knowledge in either SOC 2 or ISO 27001

• Experience leading external audits, working as the liaison between auditors and the business

• Comfortable working with both deeply technical and non-technical resources

• Flexible in daily hours (e.g. willingness to work longer hours during end of quarter and peak periods, and audit)

• Highly responsive

• Ability to prioritize and track multiple projects and tasks in parallel

Desired Qualifications

• Experience working in a large, multi-cloud environment

• Deep understanding of common security compliance frameworks, attestations and certifications

• Previous experience at a technology or SaaS company in a similar role

• Experience working with OSCAL

#LI-Remote

Individual pay within the range will be determined based on job related-factors such as skills, experience, and education or training.

The base pay range for this role in the SF Bay Area / NYC area is:

$157,300—$185,000 USD

The base pay range for this role in Seattle Metro, Denver / Boulder Metro, New York (excluding NYC), Washington D.C., or California (excluding SF Bay Area) is:

$144,200—$169,600 USD

The base pay range for this role in Colorado (excluding Denver / Boulder Metro) and Washington (excluding Seattle Metro) is:

$131,100—$154,200 USD