Distinguished Security Engineer

Summary

Join Saviynt as Director, Information Security, and lead technical and GRC efforts, primarily focusing on the FedRAMP program. You will execute, scale, and evolve InfoSec and GRC functions, managing projects in an Agile environment. Responsibilities include leading FedRAMP certification, developing System Security Plans, leading ConMon discussions, reviewing security documentation, serving as the Governance POC, and conducting compliance assessments. You will also draft security documentation, automate GRC processes, perform vulnerability scanning, and support customer requests. Collaboration with cross-functional teams and stakeholders is crucial for successful execution of mission and business needs. This role requires strong technical expertise, leadership skills, and experience in managing Agile projects.

Requirements

• U.S. Citizenship: Applicants must be United States citizens
• Bachelor's degree or equivalent experience with a minimum of 15 years of experience
• Knowledge of U.S. Federal Government security compliance, risk management processes and requirements, including NIST RMF and NIST SP 800-53 Rev 5 controls
• Experience with vulnerability scanning, remediation, and continuous monitoring (ConMon)
• Experience developing executive level presentations to support Governance and broader Information Security updates to appropriate audiences
• Experience assessing project and technical documentation to ensure compliance with established policies, processes, and procedures
• Requires sufficient technical background to be able to interpret audit and compliance requirements, and be able to support basic evidence gathering needs in support of audits
• Ability to provide excellent written and oral communications by email, presentations, and mobile communication platforms (including: experience facilitating discussions, briefing senior managers, and conducting project meetings)
• Experience supervising or managing an Agile project team
• Work on multiple projects and tasks concurrently
• Experience defining project scope and objectives, developing detailed work products (schedules, status reports, etc.), conducting project meetings, and owning responsibility for project tracking and analysis
• Flexible and collaborative approach to enabling and supporting the business
• Strong stakeholder and relationship management skills
• Meet US persons on US soil requirements
• Undergo full background investigation/screening
• Undergo IAL3 requirements (Identity proofing to include I-9 document verification, biometric collection, and mailing address confirmation)
• Complete security & privacy literacy and awareness training during onboarding and annually thereafter
• Review (initially and annually thereafter), understand, and adhere to Information Security/Privacy Policies and Procedures such as (but not limited to)
• Data Classification, Retention & Handling Policy
• Incident Response Policy/Procedures
• Business Continuity/Disaster Recovery Policy/Procedures
• Mobile Device Policy
• Account Management Policy
• Access Control Policy
• Personnel Security Policy
• Privacy Policy

Responsibilities

• Serve as the lead for Saviynt’s FedRAMP Info Sec and Compliance related activities
• Taking Saviynt through FedRAMP certification and re-recertification journey
• Develop System Security Plans (SSP), drive FedRAMP audit work with support from cross functional team members
• Lead monthly ConMon discussions, especially the technical aspects
• Review security documentation/artifacts such as audit reports, gap analysis reports, POA&Ms, etc
• Serve as the Governance POC both internally and externally
• Identify governance or compliance requirements, assess risks, review required forms
• Serve as liaison across cross functional teams to help achieve Info Sec objectives. Proactively work with cross functional peers to establish InfoSec requirements and expectations, so that compliance checks provide assurance for implemented controls
• Accountable for the execution of various compliance assessments throughout the year, primarily FedRAMP related audits. Ability to extend to other audits such as ISO 27001, PCI-DSS, SOC 1, SOC 2 is a plus
• Draft and update key security documentation including policies, guidance documents, Contingency Plan, Incident Response Plan, etc
• Help automate GRC inefficiencies through automation and improved workflows
• Perform vulnerability scanning and provide remediation guidance as needed
• Have a working knowledge of the NIST CSF and RMF frameworks
• Support customer requests as they pertain to Compliance queries and to other Information Security questions, with the support of technical Info Sec members
• Develop and update Policies, Standards and Procedures per the organization’s policy framework
• Establish and lead risk management activities, including identification of risk and recommended mitigations; track and manage risks and issues from identification through closure
• Establish and maintain appropriate metrics that will help measure the GRC posture of the company
• Collaborate with key stakeholders to ensure successful execution of mission and business needs
• Execute on GRC initiatives as defined within the security roadmap, while working with the broader Information Security team and technology teams
• Conduct risk assessments, compile risk registers, and track risk remediation plans
• Respond to requests from customers for information on our security measures
• Completing vendor security reviews. Optimize and automate the security questionnaire process
• Review security clauses in customer and vendor contracts
• Establish, review, and enhance security training and awareness programs
• Support the business with customer engagements, including attending customer calls and supporting sales teams

Preferred Qualifications

• Experience with GRC tools and automation is a plus
• Experience with common controls framework, unified control framework (UCF) is a plus
• Knowledge of current trends/technologies (i.e., Zero Trust, AI/ML, PAM, etc.) is a plus
• Experience with continuous monitoring and Plans of Actions and Milestones (POA&Ms) is a plus
• Knowledge of local legal and regulatory security requirements including HIPAA, FedRAMP, and GDPR/privacy