Senior Risk Analyst at Medallia
- Enhance and maintain Medallia’s policies and standards in collaboration with internal teams.
- Build and maintain the controls matrix, in alignment with multiple compliance frameworks including SOC 2, ISO 27001/27701/27017/27018, HITRUST and HIPAA
- Familiarity with Data Privacy regulations (GDPR/CCPA and similar).
- Own the annual audit process, educating resources about controls responses and integration to their day-to-day processes.
- Prepare compliance reports, identify issues and escalate through proper governance channels as needed.
- Support key business initiatives by identifying security and compliance related risks.
- Collaborate with teams across Medallia, validate that security controls are implemented and develop recommendations to remediate control deficiencies.
- Lead the security review component of vendor governance.
- Prepare status reports and updates for senior leadership.
- Develop employee facing technical documentation, internal wiki pages, periodic security oriented communication to spread awareness about Information Security policies and standards.
- Respond to RFP requests and client questions around security.
- Content development for newly acquired Medallia companies.
- 5+ years experience working with technology governance, internal controls, and compliance activities including IT Audit, ISO 27001/17/18, SOC 2, HIPAA, FedRAMP, HITRUST and Data Privacy laws and regulations.
- Experience working with modern cloud Software as a Service (SaaS).
- Excellent written and oral communication skills with an ability to effectively communicate security topics to a variety of audiences.
- Experience in executing technology risk assessment methodologies and familiar with audit testing and relevant documentation standards.
- Strong leadership capabilities, collaborative attitude and motivation to work in a fast paced startup environment.
- Ability to analyze, communicate, articulate governance and compliance trends and program requirements.
- Big 4 Experience and Industry certifications such as CISA, CISSP, CISM, PMP or CRISC is a plus.
- Ability to work closely with people at all levels of the organization and facilitate the implementation of corrective action as needed.