IT Risk, Security and Compliance Manager for SAP
Sierra Office, Irving, TX
The IT Risk, Security and Compliance Manager, will plan, oversee and execute risk and controls assessment, perform compliance testing, and provide documentation across all domains for IT General Controls, SOX, Payment Card Industry (PCI), Data Privacy, and other energy/utilities compliance requirements to support the Energy Future Holdings/TXU Energy corporate security and compliance program. The Manager will be the primary point of contact for all controls related matters (projects, internal/external audit, requests, inquiries, etc.) including SAP security, role methodology and process and controls. The Manager will update or develop and publish security policy and / or standards through collaboration with stakeholders in support of compliance requirements and company risk tolerance. The Manager will collaborate with HR, Legal, Supply Chain and Vendor Management in any related IT Security, data privacy, etc related matters. The Manager will drive the creation of security processes, controls and lifecycles which align with security policy and regulatory compliance requirements. In addition, the Manager will support the EFH corporate IT Risk, Security and Compliance teams and / or business with risk assessment processes, security awareness efforts, disaster recovery and business continuity efforts, compliance and regulatory projects, audits, or other inquires related to EFH/TXUE related controls.
Responsibilities and Duties:
Central point of contact for internal/external audit efforts related to TXUE.
Leads and executes the key initiatives surrounding PCI, data privacy, and SAP SOX internal and external audit issues and/or remediation efforts, from a controls or process perspective.
Ensures adequate and effective IT controls exist to meet current and future security compliance requirements found in laws and regulations such as requirements to comply with NERC CIP and NRC, PCI Data Security Standards (DSS), HIPPA, state and federal Privacy law, Sarbanes Oxley Act, and Senate Bill 7.
In-depth experience with IT audit/assessment/examination; SAS 70/SSAE practices; ITIL; ISO-27002/17799; CobiT and Industry standard application development methodologies
In-depth internal control knowledge of core IT technologies and processes (e.g., network systems, operating systems databases, change control tools and processes, computer system operations, application and system development, help desk and monitoring, information security, data backup/retention/recovery, IT vendor management, asset management, disaster recovery, etc.) Assists with the establishment and refinement of procedures for the identification of company information assets and assist information and system owners with the classification of these assets with respect to business impact.
Adept at communicating complex concepts to diverse audiences with varying skills sets. Communication skills are critical both written and verbal.
Must be able to communicate with the technology providers as well as with business leaders at all levels. An ability to understand the technical details and communicate the essentials at a high level is essential
Ability to handle large multiple projects or programs concurrently with the ability to manage competing priorities
Supports the company-wide security awareness and education programs that are aligned with security policy, standards, regulatory requirements, and industry practices.
Supports the company-wide disaster recovery and business continuity efforts.
Establishes and maintains strong working relationships with groups such as the HR, Legal, Internal / External Audit, various IT owners and providers, and outside third parties which provide services to TXUE.
Possess the relationship skills, cultural awareness, and organizational prowess required to work effectively in a large, highly-matrixed organization. Capable of delivering results through a position of influence, not authority.
Attends conferences, professional association meetings, and technical symposia to remain aware of the latest developments in information security, data privacy, controls, standards, and trends.
Must have 5+ years related experience in performing the duties described above.
Must have at least 3+ years in SAP security and/or controls with SOX experience
Bachelor’s degree required (preferably Computer Science/Information Systems, Mathematics, or Engineering)
Good understanding and experience with COBIT, COSO, NIST, ISO27001/2, SAS 70/SSAE 16, PCI, SOX, and privacy regulations.
Preferred certification (e.g. CISA, CIPP, PMP, CRISC, CISSP, etc.) a plus
Previous consulting experience (“Big Four” experience preferred) in utilities, energy or retail verticals preferred
Experience in IT internal audit preferred
Must have strong computer skills and proficient in the use of Microsoft applications.