Compliance Analyst

Office Headquarters: Lower Manhattan, NY (in-office three days a week)

• The U.S. Government agencies we work with have contracts that require all personnel working on their corresponding contracts to have U.S. citizenship – do you meet this requirement?

Accrete is looking for a Compliance Analyst that will be responsible for supporting compliance for SOC 2 type I and type II, NIST 800-53 and FedRAMP Moderate audit compliance as well as risk management support.

The role reports into the CISO and will have a heavy emphasis on compliance and security enforcement.

Accrete is an AI prime defense contractor with the U.S. government that creates AI software, enabling its customers to make better decisions, faster. Accrete is on a mission to create AI so powerful it amplifies human reasoning and enables enterprises to grow in previously unimaginable ways. Prior to launching Accrete in 2017, Prashant Bhuyan, Accrete’s Founder and CEO, spent over a decade in high-frequency trading where he and a core team experimented with and developed AI technology that ultimately became the early underpinnings of Accrete.

Accrete’s solutions enable the Department of Defense to predict covert behavior from foreign adversaries seeking to influence the supply chain; the U.S. Air Force to identify vulnerabilities in microprocessor firmware; major music labels to identify superstars before competitors; auto dealers to automatically generate marketing content from vehicle feature lists; employee benefits brokers to identify the shortest path to the hottest leads; and more.

To learn more about Accrete, please visit our website: Accrete.ai

Success for the Compliance Analyst for the first 3-6 months:

• Learn Accrete products, and technological capabilities and work across internal stakeholders and product engineering teams to drive continuous monitoring requirements, and drive continuous improvements within the Cybersecurity team for SOC II and FedRAMP program.
  
• Coordinate with internal stakeholder engineering teams and external MSSP to demonstrate the implementation of security compliance control implementations for technical, management, and operational requirements
  
• Submit audit evidence to 3PAO within a one-week period from the assignment
• Learn GRC tools for supporting audit management and gathering evidence for audits
• Perform vulnerability and compliance scanning, analyze results, and provide assessments and reviews
• Audit security control to ensure compliance with cloud requirements and governance models
  
• Support the development of technical material, operational processes, security policies, and other core documents
  
• Develop and manage compliance metrics against NIST 800-53 framework
• Manage program for Plans of Action and Milestones (POA&Ms)
• Manage onsite assessments and coordinate with external stakeholders
• Establish Risk Management documentation and monitor the remediation status of risks.
• Prepare reports for customers
• Prepare reports for CISO, Accrete management, and board of directors
• Success for the Compliance Analyst for the first 6 - 12 months:
• Automate workflows using GRC tools
• Prepare and collect evidence for upcoming audits for SOC 2 and FedRAMP.
• Update operating procedures for Accrete.
• Recommend improvements to compliance operations to CISO and management
• Conduct quarterly risk management updates
• Facilitate annual security and compliance operations improvement summit.

Requirements

Qualifications:

At least 2 years of experience or training in some of these areas:

• Experienced in writing Technical documentation and knowledge of Cloud and Security concepts
• Experience on SOC 2, NIST SP 800 Series, and FedRAMP
• Experience with writing, editing, and/or managing a wide variety of IT security documentation and familiarity with federal IT standards such as NIST 800-53
• Experience interviewing subject matter experts and using knowledge to develop, edit, and revise documentation including standard operating procedures, system security plans, and policies and procedures.
• Experience with the production and/or editing of technical drawings using Lucid Chart or similar design tools.
• Experience with technical documentation related to SOC 2 type II, FIPS 199, NIST SP 800-37, NIST SP 800-53 REV 4, and continuous monitoring, and POA&M management.
• Understanding of Third-party Assessment Organizations (3PAO) Experience, training or some knowledge of:
• SOC 2 type II controls
• National Institute of Standards and Technology (NIST) standards
• Strong governance, risk and compliance experience
• Cloud Computing Security Requirements Guide (SRG)
• Experience and familiarity with cloud data security (FedRAMP compliance) and working with public cloud solutions (AWS, etc)
• Experience writing proposals and understanding basic contract language
• Deep experience NIST SP 800 Series, FedRAMP and FISMA
• ISO27001 - specifications for a framework of policies and procedures that include all legal, physical, and technical controls involved in an organization's risk management

General skills include:

• Demonstrate strong verbal and written communication skills as well as strong analytical and problem-solving abilities
• Excellent English language, grammar, and spelling skills for writing, editing, and proofreading
• Ability to work independently or as a member of a team on various tasks.
• Skilled at organizing and translating information into clear written documentation; articulating complex concepts and processes in writing
• Proven ability to effectively research subject matter
• Experience working in a collaborative environment; ability to work well under tight deadlines and effectively interact with a wide range of personnel
• Strong experience with Microsoft product suite, particularly Microsoft Word, PowerPoint, and SharePoint
• Strong writing skills - must submit samples

Industry-specific requirements

• Knowledge, experience, and subject matter expertise in the following:
• FedRAMP (Federal Risk Authorization Management Program)
• NIST SP 800-53 Rev 4
• NIST SP 800-37
• ISO 27001/2 Risk Management Framework
• Supporting Systems Security Assessment and Authorization (SA&A) for Federal Agencies
• NIST FIPS 199, Data Classification
• Privacy Impact Assessment (PIA)

Education

• Bachelor's degree in a relevant field (e.g., English, Business Writing, Business Administration, Information Technology, Information Security, etc.)

Responsibilities:

• Write and maintain operating procedures supporting SOC 2 type I and type II
• Work with 3PAO for audits for FedRAMP and SOC 2.
• Write deliverables to support audits
• Gather evidence and submit to auditors
• Administer GRC system and tools for audit
• Follow up with cross-functional team members to get evidence for audits
• Manage risk management content for enterprise and systems
• Conduct business impact analysis

Benefits

Benefits & Perks

• Fortune 500-level core benefits package: health, dental, vision, Rx, long-term disability, short-term disability, life insurance, 401(k)
• 15 days of vacation, five days of sick leave, and all U.S. federal holidays off
• Company events include happy hours, team bonding with bowling, tennis, and more
• Our office is stocked with snacks – healthy, delicious, beverages, vitamins & more
• Performance bonuses awarded on twelve-month calendar anniversary dates (cash/equity)
• Work in a beautiful office in downtown Manhattan