IT Security & Compliance Director

Description

• Assists in the analysis and definition of security requirements based upon data types, solutions markets, customer requirements, and other factors. Assists in identifying spirit and intent of security requirements in a manner that maximizes implementations across QTC solutions.
• Has primary responsibility for cybersecurity compliance efforts including certifications, accreditations, and authorizations review, security test and evaluations and drafting associated reports
• Coordinates compliance remediation activities and maintains accurate list of open and close compliance issues for the organization
• Coordinates all internal (e.g. Leidos internal audits) and external audit events (e.g. HIPAA, NIST, SOX, Authorization To Operate (ATO) and Risk Management Framework (RMF) with clients, etc.), including discovery, sample delivery, management response, and remediation activities for all audits
• Works with Leidos Security team to conduct, report, and remediate findings from Intrusion Detection and other vulnerability scans (e.g., Nessus, AppScan, AppDetective, WebInspect, Burp Suite, Qualys, or similar).
• Reviews infrastructure and application architecture for security and compliance; provides actionable guidance to ensure secure infrastructure and application architecture posture.
• Leads short-term projects that interact with multiple departmental teams including business, client and technical stakeholders; demonstrates ability to effectively communicate security requirements and implications to stakeholders of varying levels and business focus
• Performs regulations and standards gap analysis and prepares audit reports
• Assesses the new QTC Commercial Line of Business Security status and works on transitioning the line of business more in line with other standard QTC security and compliance standards
• Facilitates customer request, information gathering, and prepares response
• Develops mapping for controls to a Unified Control Framework
• Other projects and duties as assigned

• Ability to understand weight and intent of privacy, cybersecurity compliance frameworks, requirements, and system boundaries to provide effective and meaningful analysis as well as to recommend big picture strategy that maximizes implementation of security features and functions so as to result in cost efficient compliance with multiple relevant frameworks
• Must be a hands-on, self-starter individual who is reliable, self-motivated, and has a can-do attitude
• Strong experience managing and maintaining cybersecurity compliance within large organizations and distributed environments, including both on premise as well as in the cloud
• Ability to identify technical and process design gaps based on applicable cybersecurity requirements and recommend appropriate remediation; including the drafting of plans, policies, and/or procedures
• Ability to prepare compliance reports and associated metrics, both formal for security authorization or certification purposes, as well as actionable reports for internal consumption by system admins/developers
• Ability to work independently with customer audit teams to provide relevant security details to fill information request
• Excellent negotiation and executive-level presentation skills to work with senior business, client and technical leaders
• Ability to multi-task and work effectively/efficiently with little direct supervision
• Excellent writing, editing, and documentation and evidence management skills
• Some travel will be required
• Must be legally eligible to work in the United States

• Bachelor's degree from an accredited college in Technology related discipline (e.g. Computer Science, Engineering, Information Systems, etc.) or equivalent experience/combined education
• 15+ years working in compliance, information security, or internal audit covering one or more of the following: HIPAA, NIST 800-53, and Sarbanes-Oxley
• 14 years of relevant supervisory experience
• Required CISSP; CISM, CRISC, or CGEIT preferred
• Working experience with RMF, ATO, and one or more of the following standards and regulations: NIST 800-53, SOX, PCI, HIPAA
• Experience with using security tools such as Nessus, NMAP, Rapid7, and Qualys
• Must be able to successfully pass National Agency Check with Inquiries (NACI) background investigation