Position Title: IT Compliance Manager
Department: Information Technology
Reports to Role: IT Director, Operations & Infrastructure
Position Last Updated: 04/01/2024
Location: On-Site (California)
Direct / Indirect Reports: 0
Position Summary:
The IT Compliance Manager will be responsible for leading all IT compliance activities at the site, including System Security Plan (SSP), Plan of Action and Milestones (POAM), and Sarbanes-Oxley Act (SOX) compliance. They will oversee the development and maintenance of SSPs, ensuring alignment with regulatory requirements and organizational policies. The role involves managing POAMs to address identified vulnerabilities and track remediation efforts effectively. Additionally, the IT Compliance Manager will ensure adherence to SOX requirements related to IT controls, working closely with cross-functional teams to implement and maintain effective control measures. This position requires a thorough understanding of IT compliance frameworks, strong project management skills, and the ability to communicate effectively with stakeholders at all levels of the organization.
Principle Duties (includes, but is not limited to):
Lead IT Compliance Activities:
- Oversee all IT compliance activities at the site, ensuring alignment with regulatory requirements and organizational objectives.
- Develop and maintain System Security Plans (SSPs) to document security controls and procedures for IT systems.
- Manage Plan of Action and Milestones (POAM) to address identified vulnerabilities and deficiencies in IT systems.
- Coordinate with cross-functional teams to ensure timely completion of compliance tasks and milestones.
Sarbanes-Oxley (SOX) Compliance:
- Manage and execute IT controls testing in accordance with SOX requirements.
- Ensure that IT controls are properly designed and operating effectively to mitigate financial reporting risks.
- Work closely with internal and external auditors to facilitate SOX compliance audits and reviews.
- Develop and maintain documentation related to IT controls and compliance activities for SOX reporting purposes.
Risk Assessment and Mitigation:
- Conduct risk assessments to identify potential IT compliance risks and vulnerabilities.
- Develop and implement risk mitigation strategies and controls to address identified risks.
- Monitor and report on the effectiveness of risk mitigation efforts to senior management and stakeholders.
Policy and Procedure Development:
- Develop and update IT compliance policies, procedures, and guidelines in line with regulatory requirements and industry best practices.
- Ensure that IT policies and procedures are communicated effectively to relevant stakeholders and are consistently followed across the organization.
CUI and CMMC Compliance:
- Stay updated on regulations related to Controlled Unclassified Information (CUI) and Cybersecurity Maturity Model Certification (CMMC).
- Ensure that IT and data management practices align with CUI and CMMC requirements, including data encryption, access controls, and incident response procedures.
- Coordinate with internal teams and external auditors to conduct assessments and audits to verify compliance with regulatory standards.
- Management of Purview and Secude tools for CUI.
Process Management:
- Develop and document IT and data management processes and procedures to ensure consistency and efficiency.
- Identify areas for process improvement and implement solutions to enhance the effectiveness of asset and data governance practices.
- Provide training and support to staff members on IT asset management, data governance, and compliance requirements.
Risk Management:
- Assess risks related to IT assets and data assets, including vulnerabilities, threats, and potential impacts.
- Implement risk mitigation strategies to minimize the likelihood and impact of security incidents or data breaches.
Change Management:
- Develop and maintain documentation, including policies, procedures, and technical specifications around the Change Management Process.
- Manage the Change Management process.
- Ensure that Change Management artifacts meet established standards and guidelines.
Training and Awareness:
- Provide training and guidance to IT staff and other relevant stakeholders on IT compliance requirements, procedures, and best practices.
- Foster a culture of compliance awareness and accountability throughout the organization.
Other:
- Adopt a “Go to Gemba” mindset to observe and understand how the work happens.
- Develop standard work documentation for IT processes and controls.
- Follow ITIL processes for support, helpdesk, and administration.
- Systematically work with business users to track helpdesk tickets in Jira or equivalent software.
- Other Duties as assigned.
Essential Qualifications / Experience:
- Must be a US Citizen.
- Bachelor’s degree in computer science, Information Technology, or a related field.
- 5+ years of experience in managing/leading the IT Compliance work.
- Extensive experience in IT compliance management, including SSP, POAM, and SOX compliance.
- In-depth knowledge of relevant regulations and standards, such as NIST SP 800-53, DFARS 252.204-7012, Sarbanes-Oxley Act (SOX), and other industry frameworks.
- Strong understanding of IT controls, risk management principles, and audit methodologies.
- Excellent communication skills, with the ability to effectively collaborate with cross-functional teams and communicate complex technical concepts to non-technical stakeholders.
- Proven analytical and problem-solving abilities, with a keen attention to detail and a commitment to continuous improvement.
- Proficient or familiar with ITIL fundamentals.
- Excellent analytical, mathematical, and creative problem-solving skills.
- Excellent written and oral communication skills.
- Excellent listening and interpersonal skills.
- Ability to conduct research into systems issues and products as required.
- Ability to communicate ideas in both technical and user-friendly (i.e., Non-IT speak) language.
- Highly self-motivated and directed.
- Ability to effectively prioritize and execute tasks in a high-pressure environment.
- Strong customer service orientation with demonstrated business partner influence.
- Ability to thrive in a highly matrixed organization where boundaries are sometimes unclear. Working well across teams, functions, and organizations.
- Ability to travel up to 20%.
Preferred Experience:
- Relevant certifications such as Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), or Certified in Risk and Information Systems Control (CRISC) preferred.
- Vendor Management experience.
- Experience working with Purview/Secude.
- Technical Certifications.
- Process & Change Management expertise.
- Intermediate to advanced Excel skills.
- 7+ years of overall experience.
Competencies:
- Track record of driving incremental change via process and/or IT tools.
- Ability to translate technical IT terminology into simple business speak.
- Integrity and ethical qualities of the highest standard and comfort in raising awareness to concerns up the leadership chain of command.
- Self-starter with desire to foster a sense of urgency when addressing customer and business concerns.
- Demonstrated commitment to continuous improvement and employee productivity.
- Must demonstrate strong analytical and problem-solving thought process.
- The ideal candidate will have the interest and aptitude for continued professional growth. He/she will possess the competencies and aspirations to progress in functions and levels beyond IT operations site leadership.
Opportunities at CRANE:
- Personal development – Work with other high-energy individuals and technical experts in a cross-functional, results-focused environment.
- Technical development – Opportunity to refresh, refine, or enhance technical skills with certifications or classroom courses.
- Career advancement – Natural candidate for regional operations lead, business systems analyst, or project manager track.