CLEAR's mission is to strengthen security and create frictionless experiences. We believe you are you and by using your biometrics - your eyes, face, and fingerprints - we keep you moving. Imagine a world where you can do virtually everything you need to - breeze through the airport, buy a beer at the game, check-in at the doctor's office, access your office building, and more - without ever pulling out your wallet. CLEAR is currently available in 50+ airports, stadiums and venues nationwide. Now with Health Pass, CLEAR securely connects a person's digital identity to multiple layers of COVID-related insights to help reduce public health risk and restore peace of mind.
We're defining and leading an entirely new industry, obsessing over our customers, and investing in great people to lead the way. Recently named on CNBC's Disruptor 50 List for the second year in a row and winner of the SXSW Interactive Innovation Award, CLEAR is providing innovative technology options for businesses and our 5+ million members to help create a safer environment no matter where you go.
CLEAR is seeking a Director of Technology Assurance & Compliance. The right person for this role has a strong drive to solve security challenges within a rapidly expanding environment, and the desire to implement best-in-class security measures using cutting edge technology. This individual will work in CLEAR's GRC team, partnering heavily with Infrastructure, DevOps, and Security Engineering teams in a cloud-native environment. Technology Assurance & Compliance will focus on interfacing with key external regulators and business partners (audit response, contract review, etc.), managing internal regulatory standard compliance efforts, and working with teams to brainstorm compliant solutions and remediate any outstanding compliance issues. This individual will have solid experience in cyber & IT regulatory compliance (FISMA, NIST 800-53, PCI-DSS, HIPAA, etc.), demonstrated success in working with Federal agencies and governing bodies, responding to IT or security audits and compliance attestations, and performing information assurance and compliance assessments.
What You Will Do:
Maintain security and establish functional requirements for security measures.
Coordinate with business area managers and professional staff to ensure information system security compliance.
Be the focal point for interactions with Federal agency regulators and auditors
Work with CLEAR's various Government programs and security staff to complete required Systems Security Plans (SSPs).
Define, create and maintain the documentation for certification and accreditation of each information system in accordance with government and regulatory requirements.
Assess the compliance impacts of system modifications and technological advances.
Review systems in order to identify potential security weaknesses and recommend improvements to amend vulnerabilities
Be responsible for authentication of hardening hardware and software systems against external or internal threats.
Assess remediations, changes, upgrades and documentation revisions for alignment with CLEAR's business critical security frameworks
Lead security control assessments and audits
Recommend changes to information security policies
Monitor and review updates to regulations, frameworks and contracts. (NIST 800-53, PCI-DSS, HIPAA)
Communicate updates to technology and business owners
Document changes to policy; such as new and enhanced controls
Provide tracking procedures to support policies are developed and maintained by technical and business owners
Respond to business partner security inquiries & audits and ensure that any findings are remediated in a timely fashion
Participate in the selection of information security solutions
Respond to inquiries from staff, administrators, service providers, site personnel and outside vendors, to provide technical assistance and support
Who You Are:
7+ years of information systems security or related auditing experience
Experience with information systems security standards and practices (NIST 800-53, PCI-DSS, HIPAA, etc.)
Familiar with Federal ATO process and able to produce appropriate documentation and evidence (CDRs, SSPs, etc.)
Able to balance business priorities/initiatives with sound risk management
Familiar with risk management processes (e.g., methods for assessing and mitigating risk)
Expertise with cybersecurity and privacy principles and controls used to manage risks related to the use, processing, storage, and transmission of information or data
Conversant with system and application security risks, threats and vulnerabilities
Familiar with network security architecture concepts: including topology, protocols, components, and principles (e.g., application of defense-in-depth)
Understand technology, management, and leadership issues related to organization processes and problem solving
Understand advanced concepts and issues related to cyber security and its organizational impact
Because of the constant developing nature of information systems and cyber attacks, you must be committed to continuous learning and system knowledge.
Working knowledge of cloud, container, and network security
Excellent oral and written communication skills in both a technical & non-technical environment
Highly analytical and effectively able to troubleshoot and prioritize needs, requirements and other issues
Strong problem-solving skills, detail orientation, follow-through capabilities and escalation of key issues
Ability to work with diverse personalities within various levels of the organization
Ability to manage multiple issues at one time
Strong ability to analyze, consolidate and communicate complex technical topics to all levels of staff including but not limited to IT executives, business/technical managers, developers and system administrators in verbal and written form
Ability to independently organize, prioritize and follow-up on tasks in a high-pressure environment
Can work effectively in a dynamic environment where shifting priorities frequently alter work plans
Established security certifications such as CISSP, CRISC, etc. preferred