Distinguished Security Engineer – FedRAMP
Saviynt’s Enterprise Identity Cloud helps modern enterprises scale cloud initiatives and solve the toughest security and compliance challenges in record time. The company brings together identity governance (IGA), granular application access, cloud security, and privileged access (PAM) to secure the entire business ecosystem and provide a frictionless user experience. The world’s largest brands trust Saviynt to accelerate digital transformation, empower distributed workforces, and meet continuous compliance.
The Distinguished Security Engineer, Information Security, reports into Information Security leadership, and will lead various Technical and Governance, Risk and Compliance (GRC) efforts as they relate primarily to the FedRAMP Program.
The candidate will possess the ability to execute, scale, and continuously evolve the InfoSec and GRC functions to maximize the impact and oversight across the organization. The candidate must be comfortable managing projects in an Agile environment.
The candidate should be familiar with policy and compliance requirements, including policy documentation and system requirements to successfully respond to potential audits.
1. Prior experience working as a hands on Security Architect or Engineer. Solid understanding of cloud (AWS, Azure), containers and Kubernetes environments, and applications
2. Lead the evaluation and integration of security technologies, ensuring scalability, resilience, and compliance. as it pertains to FedRAMP environments
3. At least Senior Engineer level experience and practical hands-on working knowledge of secure solutions for cloud (AWS, Azure), containers and Kubernetes environments and applications
4. Ability to independently run vulnerability scans, triage results, establish exploitability of reported vulnerabilities, recommend risk mitigation controls, and deploy controls where needed
5. Ability to recommend monitoring enhancements needed, and evaluate detection alerts at a high level
WHAT YOU WILL BE DOING
Serve as the lead for Saviynt’s FedRAMP Info Sec and Compliance related activities
Taking Saviynt through FedRAMP certification and re-recertification journey
Develop System Security Plans (SSP), drive FedRAMP audit work with support from cross functional team members
Lead monthly ConMon discussions, especially the technical aspects
Review security documentation/artifacts such as audit reports, gap analysis reports, POA&Ms, etc.
Serve as the Governance POC both internally and externally.
Identify governance or compliance requirements, assess risks, review required forms
Serve as liaison across cross functional teams to help achieve Info Sec objectives. Proactively work with cross functional peers to establish InfoSec requirements and expectations, so that compliance checks provide assurance for implemented controls
Accountable for the execution of various compliance assessments throughout the year, primarily FedRAMP related audits. Ability to extend to other audits such as ISO 27001, PCI-DSS, SOC 1, SOC 2 is a plus
Draft and update key security documentation including policies, guidance documents, Contingency Plan, Incident Response Plan, etc.
Help automate GRC inefficiencies through automation and improved workflows.
Perform vulnerability scanning and provide remediation guidance as needed.
Have a working knowledge of the NIST CSF and RMF frameworks
Support customer requests as they pertain to Compliance queries and to other Information Security questions, with the support of technical Info Sec members
Develop and update Policies, Standards and Procedures per the organization’s policy framework
Establish and lead risk management activities, including identification of risk and recommended mitigations; track and manage risks and issues from identification through closure.
Establish and maintain appropriate metrics that will help measure the GRC posture of the company
Collaborate with key stakeholders to ensure successful execution of mission and business needs
Execute on GRC initiatives as defined within the security roadmap, while working with the broader Information Security team and technology teams
Conduct risk assessments, compile risk registers, and track risk remediation plans
Respond to requests from customers for information on our security measures
Completing vendor security reviews. Optimize and automate the security questionnaire process.
Review security clauses in customer and vendor contracts
Establish, review, and enhance security training and awareness programs
Support the business with customer engagements, including attending customer calls and supporting sales teams
WHAT YOU BRING
U.S. Citizenship: Applicants must be United States citizens.
Bachelor's degree or equivalent experience with a minimum of 15 years of experience
Knowledge of U.S. Federal Government security compliance, risk management processes and requirements, including NIST RMF and NIST SP 800-53 Rev 5 controls
Experience with GRC tools and automation is a plus
Experience with common controls framework, unified control framework (UCF) is a plus
Knowledge of current trends/technologies (i.e., Zero Trust, AI/ML, PAM, etc.) is a plus
Experience with vulnerability scanning, remediation, and continuous monitoring (ConMon)
Experience managing Agile projects with a focus on duties related to Product Owner
Experience developing executive level presentations to support Governance and broader Information Security updates to appropriate audiences
Experience assessing project and technical documentation to ensure compliance with established policies, processes, and procedures.
Requires sufficient technical background to be able to interpret audit and compliance requirements, and be able to support basic evidence gathering needs in support of audits
Ability to provide excellent written and oral communications by email, presentations, and mobile communication platforms (including: experience facilitating discussions, briefing senior managers, and conducting project meetings).
Experience supervising or managing an Agile project team.
Work on multiple projects and tasks concurrently
Experience defining project scope and objectives, developing detailed work products (schedules, status reports, etc.), conducting project meetings, and owning responsibility for project tracking and analysis.
Experience with continuous monitoring and Plans of Actions and Milestones (POA&Ms) is a plus
Knowledge of local legal and regulatory security requirements including HIPAA, FedRAMP, and GDPR/privacy
Flexible and collaborative approach to enabling and supporting the business
Strong stakeholder and relationship management skills
The candidate must:
Meet US persons on US soil requirements
Undergo full background investigation/screening
Undergo IAL3 requirements (Identity proofing to include I-9 document verification, biometric collection, and mailing address confirmation)
If required for this role, you will:
- Complete security & privacy literacy and awareness training during onboarding and annually thereafter
- Review (initially and annually thereafter), understand, and adhere to Information Security/Privacy Policies and Procedures such as (but not limited to):
> Data Classification, Retention & Handling Policy
> Incident Response Policy/Procedures
> Business Continuity/Disaster Recovery Policy/Procedures
> Mobile Device Policy
> Account Management Policy
> Access Control Policy
> Personnel Security Policy
> Privacy Policy
Saviynt is an amazing place to work. We are a high-growth, Platform as a Service company focused on Identity Authority to power and protect the world at work. You will experience tremendous growth and learning opportunities through challenging yet rewarding work which directly impacts our customers, all within a welcoming and positive work environment. If you're resilient and enjoy working in a dynamic environment you belong with us!
Saviynt is an equal opportunity employer and we welcome everyone to our team. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status.
About the job
Apply for this position
Distinguished Security Engineer – FedRAMP
Saviynt’s Enterprise Identity Cloud helps modern enterprises scale cloud initiatives and solve the toughest security and compliance challenges in record time. The company brings together identity governance (IGA), granular application access, cloud security, and privileged access (PAM) to secure the entire business ecosystem and provide a frictionless user experience. The world’s largest brands trust Saviynt to accelerate digital transformation, empower distributed workforces, and meet continuous compliance.
The Distinguished Security Engineer, Information Security, reports into Information Security leadership, and will lead various Technical and Governance, Risk and Compliance (GRC) efforts as they relate primarily to the FedRAMP Program.
The candidate will possess the ability to execute, scale, and continuously evolve the InfoSec and GRC functions to maximize the impact and oversight across the organization. The candidate must be comfortable managing projects in an Agile environment.
The candidate should be familiar with policy and compliance requirements, including policy documentation and system requirements to successfully respond to potential audits.
1. Prior experience working as a hands on Security Architect or Engineer. Solid understanding of cloud (AWS, Azure), containers and Kubernetes environments, and applications
2. Lead the evaluation and integration of security technologies, ensuring scalability, resilience, and compliance. as it pertains to FedRAMP environments
3. At least Senior Engineer level experience and practical hands-on working knowledge of secure solutions for cloud (AWS, Azure), containers and Kubernetes environments and applications
4. Ability to independently run vulnerability scans, triage results, establish exploitability of reported vulnerabilities, recommend risk mitigation controls, and deploy controls where needed
5. Ability to recommend monitoring enhancements needed, and evaluate detection alerts at a high level
WHAT YOU WILL BE DOING
Serve as the lead for Saviynt’s FedRAMP Info Sec and Compliance related activities
Taking Saviynt through FedRAMP certification and re-recertification journey
Develop System Security Plans (SSP), drive FedRAMP audit work with support from cross functional team members
Lead monthly ConMon discussions, especially the technical aspects
Review security documentation/artifacts such as audit reports, gap analysis reports, POA&Ms, etc.
Serve as the Governance POC both internally and externally.
Identify governance or compliance requirements, assess risks, review required forms
Serve as liaison across cross functional teams to help achieve Info Sec objectives. Proactively work with cross functional peers to establish InfoSec requirements and expectations, so that compliance checks provide assurance for implemented controls
Accountable for the execution of various compliance assessments throughout the year, primarily FedRAMP related audits. Ability to extend to other audits such as ISO 27001, PCI-DSS, SOC 1, SOC 2 is a plus
Draft and update key security documentation including policies, guidance documents, Contingency Plan, Incident Response Plan, etc.
Help automate GRC inefficiencies through automation and improved workflows.
Perform vulnerability scanning and provide remediation guidance as needed.
Have a working knowledge of the NIST CSF and RMF frameworks
Support customer requests as they pertain to Compliance queries and to other Information Security questions, with the support of technical Info Sec members
Develop and update Policies, Standards and Procedures per the organization’s policy framework
Establish and lead risk management activities, including identification of risk and recommended mitigations; track and manage risks and issues from identification through closure.
Establish and maintain appropriate metrics that will help measure the GRC posture of the company
Collaborate with key stakeholders to ensure successful execution of mission and business needs
Execute on GRC initiatives as defined within the security roadmap, while working with the broader Information Security team and technology teams
Conduct risk assessments, compile risk registers, and track risk remediation plans
Respond to requests from customers for information on our security measures
Completing vendor security reviews. Optimize and automate the security questionnaire process.
Review security clauses in customer and vendor contracts
Establish, review, and enhance security training and awareness programs
Support the business with customer engagements, including attending customer calls and supporting sales teams
WHAT YOU BRING
U.S. Citizenship: Applicants must be United States citizens.
Bachelor's degree or equivalent experience with a minimum of 15 years of experience
Knowledge of U.S. Federal Government security compliance, risk management processes and requirements, including NIST RMF and NIST SP 800-53 Rev 5 controls
Experience with GRC tools and automation is a plus
Experience with common controls framework, unified control framework (UCF) is a plus
Knowledge of current trends/technologies (i.e., Zero Trust, AI/ML, PAM, etc.) is a plus
Experience with vulnerability scanning, remediation, and continuous monitoring (ConMon)
Experience managing Agile projects with a focus on duties related to Product Owner
Experience developing executive level presentations to support Governance and broader Information Security updates to appropriate audiences
Experience assessing project and technical documentation to ensure compliance with established policies, processes, and procedures.
Requires sufficient technical background to be able to interpret audit and compliance requirements, and be able to support basic evidence gathering needs in support of audits
Ability to provide excellent written and oral communications by email, presentations, and mobile communication platforms (including: experience facilitating discussions, briefing senior managers, and conducting project meetings).
Experience supervising or managing an Agile project team.
Work on multiple projects and tasks concurrently
Experience defining project scope and objectives, developing detailed work products (schedules, status reports, etc.), conducting project meetings, and owning responsibility for project tracking and analysis.
Experience with continuous monitoring and Plans of Actions and Milestones (POA&Ms) is a plus
Knowledge of local legal and regulatory security requirements including HIPAA, FedRAMP, and GDPR/privacy
Flexible and collaborative approach to enabling and supporting the business
Strong stakeholder and relationship management skills
The candidate must:
Meet US persons on US soil requirements
Undergo full background investigation/screening
Undergo IAL3 requirements (Identity proofing to include I-9 document verification, biometric collection, and mailing address confirmation)
If required for this role, you will:
- Complete security & privacy literacy and awareness training during onboarding and annually thereafter
- Review (initially and annually thereafter), understand, and adhere to Information Security/Privacy Policies and Procedures such as (but not limited to):
> Data Classification, Retention & Handling Policy
> Incident Response Policy/Procedures
> Business Continuity/Disaster Recovery Policy/Procedures
> Mobile Device Policy
> Account Management Policy
> Access Control Policy
> Personnel Security Policy
> Privacy Policy
Saviynt is an amazing place to work. We are a high-growth, Platform as a Service company focused on Identity Authority to power and protect the world at work. You will experience tremendous growth and learning opportunities through challenging yet rewarding work which directly impacts our customers, all within a welcoming and positive work environment. If you're resilient and enjoy working in a dynamic environment you belong with us!
Saviynt is an equal opportunity employer and we welcome everyone to our team. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status.