Staff Security Specialist, Compliance

At Disney, we're storytellers. We make the impossible, possible. The Walt Disney Company (TWDC) is a world-class entertainment and technological leader. Walt's passion was to continuously envision new ways to move audiences around the world-a passion that remains our touchstone in an enterprise that stretches from theme parks, resorts and a cruise line to sports, news, movies and a variety of other businesses. Uniting each endeavor is a commitment to creating and delivering unforgettable experiences - and we're constantly looking for new ways to enhance and protect these exciting experiences.

• Evaluates compliance with programs and processes to mitigate cybersecurity risk and ensure protection of company and allied assets and information.
• Reviews and enhances network systems and processes for compliance with external regulations and internal standards.
• Proactively identifies non-conforming areas and assesses risk.
• Recommends and implements compliance measures.
• Provides advice on compliance issues to solve challenging security compliance problems.
• Ensures documentation and reporting in support of analysis.
• Stays current on evolving legislative / regulatory changes related to security compliance.
• Coordinates with multiple stakeholder groups across TWDC to assess and monitor information security risks resulting from the use of external service providers.
• Responsible for planning, conducting and reporting on third party assessments including assessment planning, execution, and reporting; generating and distributing monthly findings past due reports; conducting RFP or rapid assessments when business conditions warrant; and providing quality assurance reviews of assessments conducted by others.
• Lead the third party assessment of outside legal counsel in support of Legal Operation's mission. This effort includes planning, conducting, and reporting on external law firms and following-up and tracking resolution of agreed-upon finding remediation plans.
• Provide consulting to internal business partners regarding third party risk and business side responsibility for controls when engaging a third party to deliver business objectives.
• Provide timely advice on security requirements in proposed and existing vendor contracts including advising the requestor when vendor proposed changes represent a high risk to Disney interests.
• Support the manager in preparing biweekly and monthly KPI, KRI, and status reports.
• Oversee data quality and workflow processes with Enterprise tools by conducting periodic data quality reviews; documenting and maintaining third party assessment procedures; and submitting requests for changes and enhancements based on changing third party assessment needs.
• Conduct quarterly disaster recovery inventory compliance work and prepare timely reports to leadership: coordinating with ISO teams in every segment and data transformations to transform received data into standardized content.
• As needed, provide disaster recovery advice to technology teams and maintain working relations with Disney business continuity planning.

• 10+ years of IT audit, or IT security and/or compliance experience
• Prior experience working within a global media or entertainment organization, supporting enterprise security functions
• Experience working with procurement and legal teams
• Knowledge of laws, regulations, and industry requirements related to Information Security (i.e. GDPR, Payment Card Industry, Domestic and International Privacy regulations)
• Knowledge and experience with diverse IT architectures and enterprise IT data centers, hosted services and cloud computing environments
• Knowledge of configuration management, change control/problem management integration, risk assessment, exception management and security baselines (e.g. COBIT, CIS Baselines, NIST, vendor security technical implementation guides, etc.)
• Must have ability to communicate effectively to all levels of the organization as well as to external stakeholders
• Must be able to establish credibility as a business partner respected by client-base with proven ability to gain "buy-in" from teams without direct line of authority
• Ability to develop consensus within an organization climate of diverse operational activities, cultures and geographic locations
• Project/program management and prioritization skills

• External audit (e.g., Big Four) and /or internal audit (e.g., Fortune 500)
• 5+ years of program and project management experience
• 5+ years of experience in third party risk management or IT vendor management experience
• 1+ years of experience in law firm or inside counsel cybersecurity
• 1+ years of experience with vendor risk management products
• Experience presenting and influencing mid-level executives on IT security and matters
• Knowledge and experience applying common security frameworks such as ISO27001 and SOC2
• Knowledge of Cloud and Perimeter technologies (e.g., router, firewalls, web proxies and intrusion prevention, etc.) and security tools (i.e. web application scanners, vulnerability scanners, file integrity monitoring, configuration monitoring, etc.)

• 4-year degree Computer Science, Risk Management, Information Security and/or equivalent professional experience
• 1 or more Information Security Certification such as CISA, CISM, CRISC, CBCP, CTPRA, C3PRMP

• Master's degree in computer science or IT Audit related field is preferred.