Senior Security Compliance Manager at Workfront
Lehi, UT, US

As Workfront’s Senior Security Compliance Manager, you will be a critical member of the Workfront Security team--reporting to the Vice President, Security / CISO--and be the orchestrator of Workfront’s Security Compliance Program. In your role, you will be responsible for distilling all of the security compliance requirements at Workfront into an executable program--a program that is well understood by control owners, team members, management, external assessment organizations, and customers. Your prior experience facilitating multiple audits (both externally and internally in a similar role) and collaborating with team members across multiple departments will provide you with the foundation necessary to be successful in this dynamic, high-visibility and high-impact role.

What you’ll do

Governance

  • Establish and maintain up-to-date, easy-to-understand, referenceable, and usable Information Security and Privacy policies and plans that comply with our applicable frameworks and regulations (e.g., AICPA’s Trust Services Principles (SOC2), ISO2700x, HIPAA/HITRUST). Establish and maintain an inventory of all procedures that support these policies and plans.
  • Create valuable, digestible, and memorable training opportunities on these policies for the organization and any roles specific to these policies. Training doesn’t have to be the typical training we’ve seen -- “awareness” is the goal, there are many ways to get there. Ensure all employees are up-to-date on their annual training requirements for security / privacy / compliance.

 

Compliance and Customer Trust

  • Facilitate predictable and favorable external audits by doing the following:
    • Execute the annual internal assessment as an input into both our annual risk assessment and improvement of our ISMS.
    • Distill all applicable compliance framework (SOC2, ISO 27001, HIPAA/HITRUST) controls and processes into an actionable, well-understood, and monitorable program where control owners are aware of their ownership of controls and their expectations as a control owner.
    • Operate the controls you are also responsible for, and operate them in an ongoing-compliant manner.
    • Persist a positive, open, and trusting relationship with our internal control owners and external assessors.
    • Provide evidence artifact requests to assessors in a timely manner.
    • Keep audit artifacts (system descriptions and control narratives, Statement of Applicability, etc.) up-to-date
  • Keep customer due diligence documentation up-to-date and accurate (review quarterly) in our customer due diligence portal. 
  • Provide timely, accurate responses to customer inquiries.
  • Work with Legal to help ensure customer contract provisions are reviewed in a timely manner when parameters are outside of standard parameters.
  • Work with CISO to keep our externally facing websites accurate, informative, and up-to-date.
  • Assist CISO in conversations with customers when needed.

 

Risk Management

  • Execute the annual risk assessment as an input into our ISMS.
  • Keep the Risk Treatment Plan up-to-date and actionable, with owners, plans, and decisions on Risk Treatment items.
  • Help those assigned to Risk Treatment Plan items be accountable and responsible for the plans to mitigate these items. Report accurate status on progression of these plans.
  • Maintain our Business Continuity Plan, with supporting documentation (BIA, critical processes, plans, etc), to include disaster recovery, pandemic, crisis, evacuation, and other plans.

 

What you’ll need to succeed

  • Have 7+ years experience as an IT Auditor, Security Compliance Manager, or similar.
  • Possess strong communication skills.
  • Have a desire to learn from, teach, and share with others.
  • Be able to build and maintain the trust of your team members and Workfront’s customers.
  • Have an unbridled curiosity, good instincts, and skills, for finding things that don’t want to be found.
  • Possess an urge to be a meaningful contributor to the organization.