Lead Information Security Risk Management and Compliance Specialist

This role will supplement GRC Compliance Specialists, GRC Risk Management Specialists and ISMS owners. This role will focus on defining, quantitating, and developing materials such as Plan of Action & Milestone(s) (POA&M) to mitigate and resolve risks across Jeppesen. This role must see broader impacts of risks and be capable of relating risks to key stakeholders. This role will work with risks on different levels, from a technical product and vulnerability perspective to a more holistic organizational view. The role will also support compliance efforts by assisting in analyzing security practices and controls for the various frameworks, analyze Jeppesen's current state, analyze the deficiencies between current Jeppesen state and implementation of controls, determine corrective measures to address deficiencies, plan appropriate steps to implement corrections, track the implementation of corrective actions, and provide internal self-audits of both processes and operational implementation of the controls. This role works across the organization and is expected to communicate effectively with leadership, operations, and development in ensuring that Jeppesen establishes and maintains a world-class compliance team.

Domestic and international travel may be required to support audit and compliance efforts at Jeppesen locations in the US and worldwide. This is not estimated to be more than 15% of the employee's time.

Position Responsibilities

• Communicate with groups from C-Level Executives to operations and development
• Willingness to speak truth on security compliance regardless of audience; the role must be willing to express deficiencies when deficiencies exist
• Lead and support various risk management teams and boards across Jeppesen such as change control board(s) (CCB), vulnerability management, operational risk boards, business risk boards
• Will be an authority in identifying mitigations to risk including technical and operational
• Will prepare steps and efforts to mitigate and burn down risk across all levels of the business
• Work in GRC tools such as Vanta to track risk
• Will own and delegate risk ownership where appropriate
• Understand compliance frameworks and how they interrelate in terms of controls
• Decompose security practices and controls into actionable requirements
• Define, write, and formally document policies, standards, procedures, guidelines, and baselines
• Test policies, standards, procedures, guidelines, and baselines for compliance to security frameworks
• Determine non-compliance and/or deficiencies between control expectations and current implementation including ability to provide guidance to fully meet intention of the security control
• Analyze schedule and budgets to determine if tasks are achievable
• Understands risk management including business risk management, operational risk management, and development risk management
• Problem solver; a desire to see problems as challenges to be resolved
• Continue to learn and improve skills through both JEPPESEN provided training and self-training
  
  

Basic Qualifications (Required Skills/Experience)

• A bachelor's degree in Engineering or higher is REQUIRED.
• Minimum of 5 years working risk management or similar functions
• Minimum of 5 years working in security practices and controls
• Extensive understanding and ability of tracing products and operational risks to business risk
• Ability to supplement all areas of GRC at Jeppesen as schedule(s) dictate
• Ability to quickly change from one task to another
• Experience in at least one of the following security frameworks: NIST, ISO 27001, CMMC 2.0, COBIT, Cyber Essentials, etc.
  
  

Preferred Qualifications

• A bachelor's degree or similar level of experience in a technical field
• A security or compliance certification such as CISSP, CRISC, CISA, CISM, CCP, CCA, ISO 27001 Auditor, etc.
• Ability to effectively discuss security frameworks in detail in how compliance works to shape a business and/or business unit
• Ability to take non-specific technical controls and data and relate them to technical implementations
• Experience working in Change Control Boards (CCBs) or other oversight groups
• Experience auditing businesses, business units, or teams for compliance to a security framework
• Experience in regulations such as GDPR, HIPAA, FISMA, etc.
• Experience in technical roles such as security operations, boundary defense, vulnerability management
  
  

Why You Should Join


At Jeppesen ForeFlight, we know you want a rewarding career. To do that, you need challenging projects, a good work environment, and awesome coworkers. We believe in our employees and empower them to make a direct impact on our products and services messaging. We strive to provide employees and their loved ones with a world-class benefits experience, focused on supporting their physical, financial, and emotional wellbeing. Our benefits package includes but is not limited to the following:

• Group Medical insurance
• Group term life, personal accident, and critical illness insurance
• Gym reimbursement
• 20 days of paid vacation time
• 12 days of paid sick time
• Employee Assistance Program