salmon-group - GRC Manager (PCI-DSS Focus)
Requirements
• 6+ years in security GRC, compliance, or audit, with real ownership of a compliance program • Has led a PCI-DSS certification end to end, ideally as a service provider, and maintained the status across cycles • Has managed a QSA relationship and run a real audit, not just supported one • Has led cardholder data environment scoping and segmentation decisions with technical teams • Comfortable across at least PCI-DSS and one of ISO 27001 or a banking framework (BSP MORB or equivalent) • Worked in a regulated environment where compliance was enforced, not aspirational • What sets the right person apart • Can translate a compliance requirement into a specific technical or process change, and explain it to engineers in their terms • Understands the technology well enough to know whether a proposed control actually satisfies the requirement • Treats certification as a state to maintain, not a one-time project • Builds evidence and monitoring into how controls run, rather than collecting it under deadline pressure • Technical understanding • Solid grasp of network segmentation, access control, encryption, logging, and the other technical domains PCI touches • Enough literacy in cloud (AWS), identity, and infrastructure to hold a credible conversation with engineering about how a control is implemented • Comfortable working in Jira and Confluence, and open to building automation around evidence and reviews • Experience with a GRC platform (Vanta, Thoropass, ServiceNow GRC, or similar) • Familiarity with BSP examination processes or Philippine financial services regulation • Certifications: PCI-DSS ISA, CISA, CRISC, CISSP, ISO 27001 Lead Auditor or Implementer • Strong written and verbal English; most work is async and documentation quality matters • Can lead a working session with engineering and a reporting conversation with leadership equally well
Responsibilities
• PCI-DSS certification and maintenance • Own the PCI-DSS program end to end as a service provider: scoping, gap assessment, remediation, certification, and annual maintenance • Define and minimize the cardholder data environment; drive segmentation and scope reduction with engineering and infrastructure • Manage the QSA relationship: scoping workshops, evidence packages, assessment, and findings • Keep the certification live between audits: quarterly requirements, ongoing evidence, control monitoring • Translating compliance into reality • Turn PCI and other framework requirements into concrete technical and organizational solutions, working directly with engineering and infrastructure teams • Distinguish between a control that exists on paper and one that actually works, and insist on the latter • Design the processes and evidence flows that keep controls satisfied without constant manual effort • Audit and assurance • Lead internal and external audits: scope, evidence, finding responses, closure • Build and maintain an evidence base that supports continuous readiness across PCI, ISO 27001, and BSP • Coordinate the ISO 27001 surveillance cycle • Bring structure and ownership to the wider compliance and risk program • Maintain the risk register as a working document and drive treatment with system owners • Run vendor security assessments and track third-party compliance obligations • Report compliance posture clearly to leadership and governance committees
Apply in one click
Upload My Resume
Drop here or click to browse · Tap to choose · PDF, DOCX, DOC, RTF, TXT