Nordstrom
Senior GRC Compliance Analyst (Hybrid - Seattle)
Join Nordstrom's Governance, Risk, and Compliance (GRC) team as a Senior Analyst specializing in PCI compliance. You will be a key member of our Compliance Assessment (CA) Team, building scalable compliance programs to enhance Nordstrom's security posture, reduce risk, and ensure audit success across complex regulatory frameworks.
Responsibilities
Design and execute specialized compliance assessments for complex regulatory environments, emerging regulations, multi‑jurisdictional requirements, and specific industry standards, adapting methodologies as needed.
Serve as a PCI subject matter expert and lead the annual merchant assessment process.
Support various regulatory and security assessments, applying both qualitative and quantitative assessment techniques and developing test approaches for compliance validation.
Provide guidance and best practices to Nordstrom engineers and leadership on how to effectively meet regulatory requirements.
Coordinate operational activities across multiple stakeholders including Legal, IT, Finance, and Business teams to ensure comprehensive regulatory coverage and effective remediation strategies.
Manage the full lifecycle of applicable risk/compliance remediation plans, including the development of detailed treatment plans, documentation, rigorous tracking, and validation of efforts from internal stakeholders.
Implement process improvements within specialized compliance domains, developing standardized approaches and best practices for recurring regulatory assessment scenarios.
Drive the standardization and enhancement of assessment programs and improve the Common Control Framework to increase control testing efficiency.
Identify and implement process improvements to enhance operational efficiency.
Provide input and guidance on security policies and standards to ensure compliance with regulatory requirements.
Develop compliance metrics and reporting for specialized regulatory domains, creating dashboards and analytics that provide actionable insights to management and support regulatory reporting.
Define KPIs and KRIs and continuously measure and report on the effectiveness of our control posture, driving year‑over‑year improvement and sustained audit success.
Support quarterly strategic initiatives by contributing regulatory expertise to short‑term compliance projects and organizational improvement efforts.
Contribute to the strategic vision and roadmap for the Compliance Assessment Team, supporting the development of reusable, scalable solutions to enhance program efficiency and support organizational growth.
Educate stakeholders on regulatory compliance requirements and changes through training sessions, workshops, and consultation to improve organizational compliance awareness and readiness.
Mentor junior analysts by providing guidance on assessment techniques, regulatory interpretation, and organizational compliance practices.
Qualifications
5+ years of experience in regulatory compliance with demonstrated specialization in specific regulatory domains.
5+ years of experience managing technically complex PCI assessments end to end with external assessors. Deep knowledge of PCI assessment processes and requirements at a Level 1 merchant, including data centers, retail locations, call centers, and cloud computing environments.
Bachelor's or Master's degree in Information Technology, Computer Science, Cybersecurity, or related field, or equivalent work experience.
Proficiency with security and regulatory frameworks (CIS, NIST, SOX, HIPAA, PCI DSS, CCPA, etc.).
Broad and deep understanding of the retail business domain, including experience with online, phone order, and physical store sales channels.
Experience building or maintaining a Common Control Framework.
Advanced compliance assessment capabilities and stakeholder management experience.
Ability to adapt methodologies to complex regulatory scenarios.
Strong bias for results and ability to operate independently to address bottlenecks, provide escalation management, anticipate and make trade‑offs, and encourage behavior to maximize business benefit.
Highly collaborative skillsets and ability to build and leverage relationships with internal and external stakeholders.
Excellent written and verbal communication skills, including presentation skills, and proven ability to effectively communicate with all levels of the organization, as well as with external parties.
Preferred Qualifications
Professional‑level certification (CISA, CRISC, CIPP, CPA, CIA, CISM, CISSP, or equivalent).
Domain‑specific certifications such as PCI Professional, SOX certifications, privacy certifications, or relevant regulatory specializations.
Experience with assessment automation.
Technical background and demonstrated proficiency in security tooling.
Experience with Onspring GRC platform.
Benefits
Medical/Vision, Dental, Retirement and Paid Time Away.
Life Insurance and Disability.
Merchandise Discount and Employee Assistance Program (EAP) resources.
Pay Range $142,000.00 - $220,500.00 Annual.
Location Seattle, WA (Hybrid).
Equal Opportunity Statement Nordstrom is an equal opportunity employer. We do not discriminate on the basis of race, color, religion, sex, national origin, disability, or any other characteristic protected by law. Legal notices and background check requirements may vary by state. For more information, see our career site FAQ.
#J-18808-Ljbffr
Responsibilities
Design and execute specialized compliance assessments for complex regulatory environments, emerging regulations, multi‑jurisdictional requirements, and specific industry standards, adapting methodologies as needed.
Serve as a PCI subject matter expert and lead the annual merchant assessment process.
Support various regulatory and security assessments, applying both qualitative and quantitative assessment techniques and developing test approaches for compliance validation.
Provide guidance and best practices to Nordstrom engineers and leadership on how to effectively meet regulatory requirements.
Coordinate operational activities across multiple stakeholders including Legal, IT, Finance, and Business teams to ensure comprehensive regulatory coverage and effective remediation strategies.
Manage the full lifecycle of applicable risk/compliance remediation plans, including the development of detailed treatment plans, documentation, rigorous tracking, and validation of efforts from internal stakeholders.
Implement process improvements within specialized compliance domains, developing standardized approaches and best practices for recurring regulatory assessment scenarios.
Drive the standardization and enhancement of assessment programs and improve the Common Control Framework to increase control testing efficiency.
Identify and implement process improvements to enhance operational efficiency.
Provide input and guidance on security policies and standards to ensure compliance with regulatory requirements.
Develop compliance metrics and reporting for specialized regulatory domains, creating dashboards and analytics that provide actionable insights to management and support regulatory reporting.
Define KPIs and KRIs and continuously measure and report on the effectiveness of our control posture, driving year‑over‑year improvement and sustained audit success.
Support quarterly strategic initiatives by contributing regulatory expertise to short‑term compliance projects and organizational improvement efforts.
Contribute to the strategic vision and roadmap for the Compliance Assessment Team, supporting the development of reusable, scalable solutions to enhance program efficiency and support organizational growth.
Educate stakeholders on regulatory compliance requirements and changes through training sessions, workshops, and consultation to improve organizational compliance awareness and readiness.
Mentor junior analysts by providing guidance on assessment techniques, regulatory interpretation, and organizational compliance practices.
Qualifications
5+ years of experience in regulatory compliance with demonstrated specialization in specific regulatory domains.
5+ years of experience managing technically complex PCI assessments end to end with external assessors. Deep knowledge of PCI assessment processes and requirements at a Level 1 merchant, including data centers, retail locations, call centers, and cloud computing environments.
Bachelor's or Master's degree in Information Technology, Computer Science, Cybersecurity, or related field, or equivalent work experience.
Proficiency with security and regulatory frameworks (CIS, NIST, SOX, HIPAA, PCI DSS, CCPA, etc.).
Broad and deep understanding of the retail business domain, including experience with online, phone order, and physical store sales channels.
Experience building or maintaining a Common Control Framework.
Advanced compliance assessment capabilities and stakeholder management experience.
Ability to adapt methodologies to complex regulatory scenarios.
Strong bias for results and ability to operate independently to address bottlenecks, provide escalation management, anticipate and make trade‑offs, and encourage behavior to maximize business benefit.
Highly collaborative skillsets and ability to build and leverage relationships with internal and external stakeholders.
Excellent written and verbal communication skills, including presentation skills, and proven ability to effectively communicate with all levels of the organization, as well as with external parties.
Preferred Qualifications
Professional‑level certification (CISA, CRISC, CIPP, CPA, CIA, CISM, CISSP, or equivalent).
Domain‑specific certifications such as PCI Professional, SOX certifications, privacy certifications, or relevant regulatory specializations.
Experience with assessment automation.
Technical background and demonstrated proficiency in security tooling.
Experience with Onspring GRC platform.
Benefits
Medical/Vision, Dental, Retirement and Paid Time Away.
Life Insurance and Disability.
Merchandise Discount and Employee Assistance Program (EAP) resources.
Pay Range $142,000.00 - $220,500.00 Annual.
Location Seattle, WA (Hybrid).
Equal Opportunity Statement Nordstrom is an equal opportunity employer. We do not discriminate on the basis of race, color, religion, sex, national origin, disability, or any other characteristic protected by law. Legal notices and background check requirements may vary by state. For more information, see our career site FAQ.
#J-18808-Ljbffr