Compliance Analyst - Digital

Costco IT is responsible for the technical future of Costco Wholesale , the third largest retailer in the world with wholesale operations in fourteen countries.

Despite our size and explosive international expansion, we continue to provide a family, employee centric atmosphere in which our employees thrive and succeed.

As proof, Costco ranks eighth in Forbes World’s Best Employers .

This is an environment unlike anything in the high-tech world and the secret of Costco’s success is its culture. The value Costco puts on its employees is well documented in articles from a variety of publishers including Bloomberg and Forbes.

Our employees and our members come FIRST. Costco is well known for its generosity and community service and has won many awards for its philanthropy.

The company joins with its employees to take an active role in volunteering by sponsoring many opportunities to help others.

Come join Costco Digital - part of the Costco Wholesale IT family . Costco Digital is a dynamic, fast-paced environment, working through exciting transformation efforts.

We are building the next generation digital retail environment where you will be surrounded by dedicated and highly professional employees.

We are embarking on a large digital transformation and need team members like you to help us grow to the next level.

Our Digital team is transforming how we deliver solutions and interact with our members across our Mobile, Commerce and Order Management platforms.

We have a culture of improvement & learning with a start up mentality and a customer centric approach for our Costco members and our employees.

We are looking for talented individuals to join our team and pursue bold ideas and explore growth opportunities.

Compliance Analysts support the overarching values and business goals of Costco as they relate to meeting legal and regulatory obligations, protecting member privacy, and ensuring continued compliance.

Compliance Analysts work closely with other teams to define and set corporate guidance in response to emerging standards and legislations by making certain that all policies and procedures are implemented and well documented, performing internal reviews, and identifying compliance problems that call for formal attention.

Compliance Analysts speak both technical and business language interchangeably to effectively communicate and lead.

The role of the eCommerce Compliance Analyst will be responsible for helping to ensure continued IS Security and Privacy compliance, alignment to PCI and SOX.

The eCommerce Compliance Analyst supports Costco’s strategy to maintain the compliance posture required by laws and industry regulations.

This will be accomplished by working closely with IS Compliance and Security, Internal Audit, Legal and Business teams to address continuous compliance and identify ways to overcome findings related to noncompliance.

This role also tracks, reports, and advises eCommerce teams on incorporating controls into their day-to-day operations so that execution of the controls becomes business as usual.

This individual will be required to do what it takes’ to anticipate regulatory impacts, promote company awareness, meet compliance deadlines, propose solutions to deficiencies, and communicate effectively at all levels.

ROLE

Leads / Participates in the creation, implementation, monitoring, and maintenance of Security Policies and Standards.

Identifies problems, analyzes data, and presents findings in a professional manner, recommends mitigations either via new technology, alternative compensating controls, or policy modifications to improve overall security posture.

Provides governance for the identification, validation, and remediation of information technology controls for any applicable regulatory compliance frameworks.

Establishes and implements methodologies designed to identify general system and business controls, and identifies and prioritizes risks.

Designs IT testing procedures to identify and evaluate risk exposures and determine the effectiveness and efficiency of controls.

Maintains a strong understanding and adherence of current and upcoming standards, regulations, and legislation.

Stays current with new and evolving security topics and technologies via formal training and self-directed education.

Innovative, creative, and works well under pressure to identify and problem-solve high intensity situations with a strong sense of urgency.

Manages and communicates key compliance milestones for critical systems and complex processes.

Establishes and meets deadlines to ensure adherence to rules and regulations.

Assists and supports the organization with initial compliance with ongoing preparation, testing, and monitoring of conformance.

Promotes and supports a culture of compliance, risk avoidance / mitigation, and corporate accountability throughout the organization.

Audits information system activities and systems to confirm compliance and provides management with compliance assessments.

Develops, manages, and executes plans to communicate and remediate all known material weaknesses or significant deficiencies, and minimize any findings noted by either internal or external auditors.

Engages and collaborates with a variety of internal departments and external organizations, may include but not limited to legal firms, law enforcement agencies, and all other levels of government to ensure follow through and completion of compliance and mitigation activities.

Identifies risks and evaluates findings while working with internal departments / business units to appropriately address the findings.

Engages with the Business and SMEs to ensure compliance of IT Policies.

Proposes solutions to deficiencies found in the Policy and Standards.

Works with IT custodians at different levels in the organization to understand their respective security needs and assists with implementing Policies and Standards.

Assists with auditing of information systems activities and systems to confirm information security policy compliance and provides management with security policy compliance assessments.

Researches and retains currency on PCI, SOX, CCPA, HIPAA, GDPR etc., and adherence to industry standards.

Works with other business and legal departments in response to emerging standards and legislation.

Maintains a strong understanding of current and upcoming regulatory requirements and legislation.

Socializes Information Security policies, standards, and procedures.

Develops and executes project / program plans, coordinates required resources.

REQUIRED

5-10 years’ IT background; experience with compliance or regulatory issues preferred.

3+ years’ prior experience supporting a Level 1 or Level 2 organization’s SOX, PCI, and Privacy (CCPA, CPRA, HIPAA, GDPR) compliance effort, working with an auditor and assessor or serving as an auditor and assessor.

Intermediate knowledge of five or more of the following technical areas : network segmentation, operating system security, encryption and key management, tokenization, antivirus and malware, secure system development, identity and access management, vulnerability management, physical access controls, penetration testing, file integrity monitoring, logging, and information security policies and standards.

Able to scope, interpret, and prioritize controls test results.

Experience with project management (planning, organizing, and managing resources to bring about the successful completion of specific project goals and objectives).

Ability to identify problems, analyze data, and present conclusions effectively.

Excellent communication skills, both oral and written, that can communicate security and compliance issues to executives, end users, and stakeholders in an effective and appropriate manner.

Excellent PC skills (spreadsheets, slide decks, documents).

Understanding in all aspects of risk management, data compliance, information security strategy, technologies, and tools.

Experience developing and executing global security risk management and compliance programs.

Excellent conceptual and critical thinking skills and sound judgment, with strategic orientation and ability to perform tactically, as required.

Experience in providing technical expertise appropriate to knowledge of risk and cost-effective delivery of essential security services.

Solid understanding of IT systems, applications, networks, and databases.

Proven experience developing and submitting audit and compliance reports to governing bodies, legal entities, and / or external authorities.

Understanding of assessing and designing internal controls in an enterprise-level environment.

Direct experience and knowledge of applicable local and federal information technology laws.

Knowledge and understanding of security controls across all security domains such as access management, encryption methods, vulnerability management, network security, etc.

Knowledge of risk management practices and security governance programs.

Excellent communication skills (both written and oral)

Recommended

Project Management skills and experience.

Understanding of networking technologies, such as firewalls, routers, load balancers, and proxies.

Working knowledge of information systems security standards and practices (e.g., access control and system hardening, system audit and log file monitoring, security policies, and incident handling).

Required Documents

Cover Letter

Resume

California applicants, please click to review the Costco Applicant Privacy Notice.

Pay Ranges :

Level 2 - $85,000 - $120,000

Level 3 - $110,000 - $150,000

Level 4 - $140,000 - $185,000

We offer a comprehensive package of benefits including paid time off, health benefits - medical / dental / vision / hearing aid / pharmacy / behavioral health / employee assistance, health care reimbursement account, dependent care assistance plan, short-term disability and long-term disability insurance, AD&D insurance, life insurance, 401(k), stock purchase plan to eligible employees.

If hired, you will be required to provide proof of authorization to work in the United States. Applicants and employees for this position will not be sponsored for work authorization, including, but not limited to H1-B visas.