Chedraui USA
Store Support Center
We are searching for an experienced
Manager, IT Risk & Compliance
for our Store Support Center located at 600 Citadel Drive, Commerce, CA, 90040.
Summary The IT Risk & Compliance Manager is an important role in supporting the overall vision of the IT Risk & Compliance Program at Smart & Final, which is to Govern IT Risk and Compliance activities and initiatives to ensure internal and external regulatory compliance, minimize risk, and ensure the overall control environment is in line with company strategy and industry-leading best practices. The IT Risk & Compliance Manager is a skilled IT compliance professional who uses their deep knowledge of compliance to operationalize, monitor and enforce the adoption of organization wide IT standards, policies, training and procedures. This role requires a strong understanding of IT systems, controlling environments, regulations (SOX, PCI, NIST and CCPA), and audit methodologies, as well as excellent communication and leadership skills.
ESSENTIAL DUTIES AND RESPONSIBILITIES
Act as project manager and business/audit liaison for external and internal IT audits, will be responsible for strategy, plan, and results of annual SOX and PCI audits with relation to IT controls.
Provide support for audit-related matters, including oversight, internal facilitation, review, and remediation efforts.
Perform detailed reviews of IT systems, processes, and controls to assess compliance with regulatory requirements and internal policies.
Evaluate the design and operating effectiveness of IT controls, including information security, data privacy, change management, and disaster recovery.
Identify control gaps, potential risks, and areas for improvement.
Prepare comprehensive reports detailing findings, recommendations, and action plans to remediate gaps in controls.
Independently manage small and large IT compliance projects, engagement reviews and initiatives to ensure compliance prior to completion.
Advise project teams on specific IT Risk & Compliance requirements. This includes engaging on IT led projects, advising on specific policy matters, assisting teams with designing sound / compliant processes and/or technical controls, reviewing internal compliance documentation, and demonstrating an overall mastery of internal controls, processes, and company policies.
Support the development and execution of IT Risk, Cybersecurity and Compliance training curriculum and training materials/content.
Manage or support targeted compliance reviews on behalf of the IT Risk & Compliance department.
Support the development of IT risk treatment plans and manage continuous improvement programs.
Stay updated on evolving IT regulations, industry trends, and emerging technologies that may impact compliance requirements.
Assess the impact of regulatory changes on the organization’s IT compliance framework and advise management on necessary actions to maintain compliance and mitigate risks.
Responsible for setting company policy as it relates to IT Risk and Compliance.
Drive the development of internal compliance and risk dashboards and management reporting.
Review draft policies, participate in feedback channels, and incorporate necessary changes to internal documentation, checklists and supporting policy meta-model.
Advise the IT department on the corporate control environment as it relates to COSO 2013, SOX ITGCs, PCI-DSS controls, and corporate policy.
Serve as a policy and controls subject matter expert to both internal and external teams.
Review and endorse aids, implementation guides, education material and/or other templates to support project, department and organizational wide compliance training and awareness efforts.
Review and endorse in development and review of technical and process related documentation, including operating procedures, control manuals, business requirement documents.
Drive continuous improvement by tracking compliance gaps and recommendations to ensure timely resolution, identifying opportunities to streamline and automate processes for increased efficiency and developing and delivering training programs to raise awareness of compliance requirements and best practices.
Promote awareness of internal control and security issues among management and ensure sound security principles are reflected in the organization's vision and goals.
Engage with stakeholders cross organizationally to ensure IT Risk & Compliance issues or inquiries are properly addressed.
Contribute to internal knowledge repository for IT Risk & Compliance team.
General Duties Include
Oversee the design, development, and implementation of software and hardware solutions, systems, or products to ensure compliance with company standards and regulatory requirements.
Assess risks and identify/ implement mitigations related to grocery business functions like point-of-sale (POS) systems, self-checkout technology, payment processing infrastructure, supply chain and ecommerce platforms
Lead PCI-DSS (Payment Card Industry Data Security Standard) compliance program across all payment channels
Maintain compliance with state and federal data privacy laws including CCPA, CPRA, and emerging state regulations
Oversee compliance with food safety data regulations and traceability requirements (FDA FSMA)
Establish and maintain regular written and in-person communications with the organization’s executives, department heads, and end users for related IT activities.
Understand organizational behavior and how it influences business solutions
Use strong meeting management skills to engage participants in productive work sessions.
Develop business case justifications and cost/benefit analyses for IT spending and initiatives.
Approve and oversee projects and project portfolios.
Manage financial aspects, including purchasing and budgeting
Negotiate and administer 3rd party vendors, manage services and consultant contracts to ensure compliance to the defined IT policies.
Manage a team, including recruitment, supervision, scheduling, development, evaluation, and disciplinary actions for internal and 3rd party resources.
Successfully engage in multiple initiatives simultaneously.
Deliver assigned projects on time and on budget.
Leverage negotiation skills to challenge business and IT users on assumptions and help craft innovative and effective solutions.
Ability to make timely recommendations to effectively solve problems, using independent judgment consistent with standards, practices, policies, procedures, regulations, and/or law.
Ability to design, train and manage Cybersecurity, Risk and Compliance training for the company associates using some of the industry tools like Knowb4.
Proficiency to lead the identity and access management (IAM), vulnerability management, and incident response working with the Cybersecurity function.
EDUCATION Bachelor’s degree (BA/BS) from an accredited institution required. Computer Science, Accounting, Economics, or Business preferred.
Experience
Prior experience at a public accounting firm or internal audit at a publicly traded company required
5+ years of IT policy, controls, assessment and audit experience required
Prior experience working within or auditing an IT organization, supporting enterprise level IT functions and processes required
Big four accounting firm experience a plus
Experience in Management Consulting, IT Governance, Internal Audit, or Information Security a plus
4+ years of program and project management experience a plus
Demonstrated expertise in ISO, CIS, NIST, COBIT or other information security / IT controls frameworks
Demonstrated familiarity with cloud control frameworks, including CSA Star, ISO 27017, COBIT for Cloud Assessments or other information security / IT controls
Deep understanding of IT audit, compliance, and risk management methodologies and/or approaches
Basic understanding of present Information Security frameworks, risks, and industry/common technologies
Demonstrated savvy with team discussions and executive presentation deck development
IT Risk Management Frameworks: Proficiency with NIST, ISO 27001, COBIT, and COSO frameworks.
Regulatory and Compliance Knowledge: Familiarity with SOX, GDPR, HIPAA, PCI-DSS, GLBA, CCPA, or other industry-specific regulations.
IT Controls Assessment: Ability to design, assess, and monitor IT General Controls (ITGCs) and application controls.
Audit and Assurance Tools: Experience with GRC (Governance, Risk & Compliance) platforms such as Archer, ServiceNow/SAP GRC, MetricStream, or OneTrust.
Data Protection and Privacy: Knowledge of data classification, encryption, and privacy-by-design principles.
CERTIFICATIONS
One or more of the following certifications strongly preferred: (ISACA) CISA, CISM, CRISC, CGEIT
The following certification is a plus: ITIL v3 (any level)
COMPENSATION: The salary range for this position is $125,000.00 to $150,000.00. The actual starting pay will be determined by a number of qualifications; including, experience and relevant skills.
Our company provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, national origin, age, disability, or genetics.
#J-18808-Ljbffr
Manager, IT Risk & Compliance
for our Store Support Center located at 600 Citadel Drive, Commerce, CA, 90040.
Summary The IT Risk & Compliance Manager is an important role in supporting the overall vision of the IT Risk & Compliance Program at Smart & Final, which is to Govern IT Risk and Compliance activities and initiatives to ensure internal and external regulatory compliance, minimize risk, and ensure the overall control environment is in line with company strategy and industry-leading best practices. The IT Risk & Compliance Manager is a skilled IT compliance professional who uses their deep knowledge of compliance to operationalize, monitor and enforce the adoption of organization wide IT standards, policies, training and procedures. This role requires a strong understanding of IT systems, controlling environments, regulations (SOX, PCI, NIST and CCPA), and audit methodologies, as well as excellent communication and leadership skills.
ESSENTIAL DUTIES AND RESPONSIBILITIES
Act as project manager and business/audit liaison for external and internal IT audits, will be responsible for strategy, plan, and results of annual SOX and PCI audits with relation to IT controls.
Provide support for audit-related matters, including oversight, internal facilitation, review, and remediation efforts.
Perform detailed reviews of IT systems, processes, and controls to assess compliance with regulatory requirements and internal policies.
Evaluate the design and operating effectiveness of IT controls, including information security, data privacy, change management, and disaster recovery.
Identify control gaps, potential risks, and areas for improvement.
Prepare comprehensive reports detailing findings, recommendations, and action plans to remediate gaps in controls.
Independently manage small and large IT compliance projects, engagement reviews and initiatives to ensure compliance prior to completion.
Advise project teams on specific IT Risk & Compliance requirements. This includes engaging on IT led projects, advising on specific policy matters, assisting teams with designing sound / compliant processes and/or technical controls, reviewing internal compliance documentation, and demonstrating an overall mastery of internal controls, processes, and company policies.
Support the development and execution of IT Risk, Cybersecurity and Compliance training curriculum and training materials/content.
Manage or support targeted compliance reviews on behalf of the IT Risk & Compliance department.
Support the development of IT risk treatment plans and manage continuous improvement programs.
Stay updated on evolving IT regulations, industry trends, and emerging technologies that may impact compliance requirements.
Assess the impact of regulatory changes on the organization’s IT compliance framework and advise management on necessary actions to maintain compliance and mitigate risks.
Responsible for setting company policy as it relates to IT Risk and Compliance.
Drive the development of internal compliance and risk dashboards and management reporting.
Review draft policies, participate in feedback channels, and incorporate necessary changes to internal documentation, checklists and supporting policy meta-model.
Advise the IT department on the corporate control environment as it relates to COSO 2013, SOX ITGCs, PCI-DSS controls, and corporate policy.
Serve as a policy and controls subject matter expert to both internal and external teams.
Review and endorse aids, implementation guides, education material and/or other templates to support project, department and organizational wide compliance training and awareness efforts.
Review and endorse in development and review of technical and process related documentation, including operating procedures, control manuals, business requirement documents.
Drive continuous improvement by tracking compliance gaps and recommendations to ensure timely resolution, identifying opportunities to streamline and automate processes for increased efficiency and developing and delivering training programs to raise awareness of compliance requirements and best practices.
Promote awareness of internal control and security issues among management and ensure sound security principles are reflected in the organization's vision and goals.
Engage with stakeholders cross organizationally to ensure IT Risk & Compliance issues or inquiries are properly addressed.
Contribute to internal knowledge repository for IT Risk & Compliance team.
General Duties Include
Oversee the design, development, and implementation of software and hardware solutions, systems, or products to ensure compliance with company standards and regulatory requirements.
Assess risks and identify/ implement mitigations related to grocery business functions like point-of-sale (POS) systems, self-checkout technology, payment processing infrastructure, supply chain and ecommerce platforms
Lead PCI-DSS (Payment Card Industry Data Security Standard) compliance program across all payment channels
Maintain compliance with state and federal data privacy laws including CCPA, CPRA, and emerging state regulations
Oversee compliance with food safety data regulations and traceability requirements (FDA FSMA)
Establish and maintain regular written and in-person communications with the organization’s executives, department heads, and end users for related IT activities.
Understand organizational behavior and how it influences business solutions
Use strong meeting management skills to engage participants in productive work sessions.
Develop business case justifications and cost/benefit analyses for IT spending and initiatives.
Approve and oversee projects and project portfolios.
Manage financial aspects, including purchasing and budgeting
Negotiate and administer 3rd party vendors, manage services and consultant contracts to ensure compliance to the defined IT policies.
Manage a team, including recruitment, supervision, scheduling, development, evaluation, and disciplinary actions for internal and 3rd party resources.
Successfully engage in multiple initiatives simultaneously.
Deliver assigned projects on time and on budget.
Leverage negotiation skills to challenge business and IT users on assumptions and help craft innovative and effective solutions.
Ability to make timely recommendations to effectively solve problems, using independent judgment consistent with standards, practices, policies, procedures, regulations, and/or law.
Ability to design, train and manage Cybersecurity, Risk and Compliance training for the company associates using some of the industry tools like Knowb4.
Proficiency to lead the identity and access management (IAM), vulnerability management, and incident response working with the Cybersecurity function.
EDUCATION Bachelor’s degree (BA/BS) from an accredited institution required. Computer Science, Accounting, Economics, or Business preferred.
Experience
Prior experience at a public accounting firm or internal audit at a publicly traded company required
5+ years of IT policy, controls, assessment and audit experience required
Prior experience working within or auditing an IT organization, supporting enterprise level IT functions and processes required
Big four accounting firm experience a plus
Experience in Management Consulting, IT Governance, Internal Audit, or Information Security a plus
4+ years of program and project management experience a plus
Demonstrated expertise in ISO, CIS, NIST, COBIT or other information security / IT controls frameworks
Demonstrated familiarity with cloud control frameworks, including CSA Star, ISO 27017, COBIT for Cloud Assessments or other information security / IT controls
Deep understanding of IT audit, compliance, and risk management methodologies and/or approaches
Basic understanding of present Information Security frameworks, risks, and industry/common technologies
Demonstrated savvy with team discussions and executive presentation deck development
IT Risk Management Frameworks: Proficiency with NIST, ISO 27001, COBIT, and COSO frameworks.
Regulatory and Compliance Knowledge: Familiarity with SOX, GDPR, HIPAA, PCI-DSS, GLBA, CCPA, or other industry-specific regulations.
IT Controls Assessment: Ability to design, assess, and monitor IT General Controls (ITGCs) and application controls.
Audit and Assurance Tools: Experience with GRC (Governance, Risk & Compliance) platforms such as Archer, ServiceNow/SAP GRC, MetricStream, or OneTrust.
Data Protection and Privacy: Knowledge of data classification, encryption, and privacy-by-design principles.
CERTIFICATIONS
One or more of the following certifications strongly preferred: (ISACA) CISA, CISM, CRISC, CGEIT
The following certification is a plus: ITIL v3 (any level)
COMPENSATION: The salary range for this position is $125,000.00 to $150,000.00. The actual starting pay will be determined by a number of qualifications; including, experience and relevant skills.
Our company provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, national origin, age, disability, or genetics.
#J-18808-Ljbffr