Senior Public Sector Security Compliance Manager

Senior Public Sector Security Compliance Manager
IT, InfoSec, Cyber Risk & Business Operations | San Francisco, CA or Seattle, WA or Remote - US

This position is not eligible for employment in the following states: Alaska, Hawaii, Maine, Mississippi, North Dakota, South Dakota, Vermont, West Virginia and Wyoming.

Our agreement with employees
DocuSign is committed to building trust and making the world more agreeable for our employees, customers and the communities in which we live and work. You can count on us to listen, be honest, and try our best to do what’s right, every day. At DocuSign, everything is equal. We each have a responsibility to ensure every team member has an equal opportunity to succeed, to be heard, to exchange ideas openly, to build lasting relationships, and to do the work of their life. Best of all, you will be able to feel deep pride in the work you do, because your contribution helps us make the world better than we found it. And for that, you’ll be loved by us, our customers, and the world in which we live.

The team 
Our IT, InfoSec, Cyber Risk & Business Ops team - is in the business of trust and reliability. We create, maintain and operate scalable technology and data solutions that deliver an exceptional experience for our internal & external customers.  We embrace Agile principles and values, favor DevOps practices, and view infrastructure as code, all while we create an infrastructure that scales and supports our growth and ambitious vision. This requires a smart, highly collaborative team who can identify, investigate, and implement new technologies to continue securely scaling our global business.

This position
The Senior Public Sector Security Compliance Manager will be responsible for creating and maintaining a world-class, comprehensive System Security Plan (SSP) for DocuSign. This role will manage all aspects of planning, writing, updating, and ensuring the completeness of DocuSign’s SSP as a critical component in maintaining FedRAMP compliance. The Senior Public Sector Security Compliance Manager will provide hands-on project and program leadership throughout the SSP lifecycle. This role will work closely with a wide variety of internal stakeholders, including project teams, leadership of various business units, end users, and other members of DocuSign’s Trust and Security Team to ensure that all required documentation is in place.

To be successful in this role, you should have deep expertise in industry and government compliance for cloud service providers, be a strategic problem-solver, and possess a demonstrated ability to deliver high quality documentation within established timelines. You should understand the required SSP and related documents necessary to submit for pursuit of ATO and understand the role of 3PAO agencies and auditors. You should understand the difference in the FedRAMP and DOD/DISA impact levels, including IL-2 and IL-4.

This position is an individual contributor reporting to the Director of Compliance and is designated Flex.

Responsibilities

• Create and maintain a comprehensive System Security Plan (SSP) for DocuSign, including update of associated documentation such as POA&M, RAR, SAP, etc
• Enable DocuSign’s ability to maintain compliance and Authority to Operate (ATO) for its FedRAMP environment by means of ongoing self-assessments of the SSP
• Drive the overall uplift of DocuSign’s public sector security compliance posture through critical assessment of required documentation, including gap analyses and recommendations of improvements
• Ensure that any findings are addressed and reflected in the SSP and/or supporting attachments
• Perform project and program management
• Develop and maintain strong relationships based on trust and transparency with primary business stakeholders

Basic qualifications

• BA/BS degree in Computer Science or related field, or equivalent work experience
• 5+ years of industry experience
• 2+ years of experience working with US government standard certification and compliance processes including FedRAMP and NIST
• Experience with the FedRAMP JAB P-ATO and Agency ATO processes
• Understanding of the requirements of continuous monitoring after achieving an ATO
• Training in FedRAMP submission requirements is preferred
• Proven work experience as an Information Security professional or Application Security Engineer
• Working experience with IT and enterprise risk management methodologies.
• Working experience with a GRC tool
• Ability to read and interpret third party reports and certifications and relevance of controls and control strength (SOC2, BCP, ISO, ASCII, IRAP, Fedramp, PCI)

Preferred qualifications

• 4+ years of IT industry experience with different cloud platforms
• CISSP, CRISC ,CISM, CIPP or similar Certifications
• Good current understanding of risks as they relate to security systems, including firewalls, ports, anti-virus software, authentication systems (SAML, SSO, MFA), log management, penetration testing and code review techniques, web related technologies and protocols and third party integrations and secure data sharing over various different mediums (API connections, SFTP etc)
• Ability to engage with technical teams to present assessment results, risks and to participate in discussions around acceptable and compensating controls
• Problem solving skills and ability to work under pressure
• Understanding of cloud computing concepts and security industry standards and frameworks (ISO, PCI, NIST, CSA)
• Broad understanding of non-security related risk (financial/credit, legal compliance (OFAC, ABAC)
• Comfortable with ambiguity and fast change with an ability to adapt as needed

Vaccination requirement 
DocuSign may require all employees to be fully vaccinated against COVID-19 and provide proof of vaccination to visit a DocuSign office, to meet with potential or actual customers or business partners, or for other business-related purposes, in accordance with local law. Please note that DocuSign has contracts with different governments globally which may require compliance with local and federal laws.

About us
DocuSign helps organizations connect and automate how they prepare, sign, act on, and manage agreements. As part of the DocuSign Agreement Cloud, DocuSign offers eSignature: the world's #1 way to sign electronically on practically any device, from almost anywhere, at any time. Today, over a million customers and hundreds of millions of users in over 180 countries use DocuSign to accelerate the process of doing business and simplify people's lives. And we help save the world’s forests and embrace environmental sustainability.

It's important to us that we build a talented team that is as diverse as our customers and where all employees feel a deep sense of belonging and thrive. We encourage great talent who bring a range of perspectives to apply for our open positions. DocuSign is an Equal Opportunity Employer and makes hiring decisions based on experience, skill, aptitude and a can-do approach. We will not discriminate based on race, ethnicity, color, age, sex, religion, national origin, ancestry, pregnancy, sexual orientation, gender identity, gender expression, genetic information, physical or mental disability, registered domestic partner status, caregiver status, marital status, veteran or military status, or any other legally protected category.

Accommodations
DocuSign provides reasonable accommodations for qualified individuals with disabilities in job application procedures, including if you have any difficulty using our online system. If you need such an accommodation, you may contact us at accommodations@docusign.com.

#LI-Remote