This position in the Global Business Units (GBU) Risk Management and Regulatory Compliance team within OCI will have responsibility for ensuring that the GBUs Development, Cloud Operations and Services teams properly manage regulatory requirements related to the design, development, deployment and post-deployment of products and services.  The position will drive the development and implement a comprehensive risk management and regulatory compliance strategy across the GBUs to optimize and continuously improve the information security of the GBU products and services. The role requires coordination between the GBUs’ Development, Cloud Services, and Operations teams and Oracle's centralized Corporate Security Group and Oracle Legal organizations.  This team will ensure that the IT environment implements, demonstrates and continuously monitors the controls required to meet key security frameworks and regulatory requirements including SOC1 and SOC2, ISO 2700x, HIPAA and PCI-DSS, as required by the GBUs.

 

Responsibilities

• Facilitate world class security and compliance programs to support a heterogeneous group of businesses
• Collaborate with LoB leadership to ensure awareness and consistency in approach and delivery
• Facilitate third party attestations, audits and certification efforts for the GBUs 
• Assess the Cloud compliance and security landscape to keep GBUCS controls current with industry standards
• Interface with corporate groups including Corporate, Privacy and Security legal and Internal audit to ensure compliance with policy
• Lead project team members and formalize risks and key controls associated with significant Oracle Cloud for Industry and GBU processes
• Coordinate audit testing, documentation, self-assessment testing and remediation activities.
• Make recommendations to correct deficiencies identified during the various audits.
• Perform the role of compliance consultant and subject matter expert for the Oracle GBUs to help them improve their control environment as necessary
• Manage project functions including project scheduling, tracking, communications, and controlling to ensure project meets its’ aim on schedule
• Coordinate and facilitate 3rd party audit activities
• Maintain and update security and compliance reporting
• Manage security and compliance related projects for the GBUs

Qualifications

• Bachelor Degree or equivalent
• CISA, CISM, CISSP, CIPP desired
• 10+ years related experience
• Formal training in project management
• Fluency & extensive experience IT auditing and controls, preferable with SOC 1 & SOC 2, ISO 2700X and/or HIPAA or PCI-DSS,
• Strong working knowledge of IT processes and IT infrastructure
• Proven ability to combine business acumen, technical acumen and process expertise to define control requirements for SOC 1 & SOC 2, ISO 2700X, HIPAA, PCI-DSS
• Demonstrated success in leading, controlling, & completing complex projects

Develops and executes programs and processes to reduce information security risk and strengthen Oracle’s security posture.

Supports the strengthening of Oracle’s security posture, focusing on one or more of the following: risk management; regulatory compliance; threat and vulnerability management; incident management and response; security policy development and enforcement; privacy; information security education, training and awareness (ISETA); digital forensics and similar focus areas. Risk Management: Assesses the information security risk associated with existing and proposed business operational programs, systems, applications, practices and procedures in complex, business-critical environments. May conduct and document complex information security risk assessments. May assist in the creation and implementation of security solutions and programs. Regulatory Compliance: assists in programs to establish, document and track compliance to industry and government standards and regulations, e.g. ISO-27001, PCI-DSS, HIPAA, FedRAMP, GDPR, etc. Researches and interprets current and pending governmental laws and regulations, industry standards and customer and vendor contracts to communicate compliance requirements to the business. Threat and Vulnerability Management: May research, evaluate, track, and manage information security threats and vulnerabilities in situations where analysis of well-understood information is required. Incident Management and response: Responds to security events, identifying possible intrusions and responding in line with Oracle incident response playbooks. Digital Forensics: May conduct data collection, preservation and forensic analysis of digital media independently, where a basic understanding of forensic techniques is required. Other areas of focus may include duties managing Information Security Education, Training and Awareness programs. In a Corporate Security role, may manage the creation, review and approval of corporate information security policies. Compiles information and reports for management.

Minimum of 5 years experience in information systems, business operations, or related fields, at least 2 years of which must be from at least one of the following: Information security risk management; information security program management; Industry/Government security compliance program management (ISO-27001, GDPR, HIPAA, FedRamp, etc.); threat and vulnerability management; incident management and response; security policy development and enforcement; privacy, information security education, training and awareness (ISETA), information security solutions development, etc. required. Preferred but not required qualifications include: Bachelor-level university degree in a relevant field from an accredited university, or equivalent. CISSP, CISM, CISA , CIPP or other equivalent certification. Experience managing security incidents and vulnerabilities through their life cycle. Experience designing and developing automated process for responding to possible network intrusions. Knowledge of secure software design principles and the software development life cycle. Experience with at least 1 automation language or framework (Python, Ruby, SALT, Terraform, etc.) or vulnerability scanning tool (Qualys, Burp Suite, etc.).

As part of Oracle's employment process candidates will be required to successfully complete a pre-employment screening process. This will involve identity and employment verification, professional references, education verification and professional qualifications and memberships (if applicable).