Security Assurance & Compliance Specialist

Job Summary

The Security Assurance & Compliance Specialist is responsible for protecting the confidentiality, integrity, and availability of Mercans’ global payroll SaaS platform and internal infrastructure.

This role focuses on governance, risk, and compliance (GRC), ensuring that Mercans meets rigorous international data protection standards (GDPR, LGPD, etc.) and maintains key certifications (ISO 27001, SOC 1/SOC 2).

The specialist will act as a guardian of sensitive payroll and financial data (PII), managing client trust through audit support, internal control monitoring, and risk governance.

Duties and responsibilities

Global Compliance & Certifications (SaaS Focus)

• Manage and maintain the company’s adherence to international security frameworks, specifically ISO 27001, ISO 27701, and SOC 1 / SOC 2 Type II attestations.
• Regulatory Monitoring: Continuously track changes in global data privacy laws and payroll-specific regulations to assess their impact on Mercans’ SaaS operations.
• Audit Management: Coordinate the full lifecycle of external audits, acting as the primary liaison between external auditors and internal technical teams.
• Conduct internal audits and gap analyses to ensure that cloud infrastructure and operational processes align with control objectives.

Governance, Risk, and Policy Management

• ISMS Management: Maintain and evolve the Information Security Management System (ISMS), ensuring policies and procedures remain aligned with business growth.
• Risk Assessments: Facilitate annual company-wide risk assessments and Data Protection Impact Assessments (DPIAs) for new SaaS features or vendors.
• AI & Automation Integration: Identify, evaluate, and implement AI-based automated tools to streamline compliance workflows, policy analysis, and repetitive security tasks.
• Policy Lifecycle: Manage the review, update, and approval process for all information security policies.
• Reporting: Define and track key security performance indicators (KPIs) and risk indicators (KRIs) to report the state of compliance to senior leadership.

Client Trust & Vendor Risk Management

• Client Assurance: Lead the technical response to client security questionnaires (SIG, CAIQ) and RFPs, leveraging AI tools to automate answer retrieval where possible.
• Contract Review: Collaborate with the Legal team to review security addendums and Data Processing Agreements (DPAs) in client contracts.
• Vendor Risk: Evaluate and monitor third-party vendors and sub-processors to ensure the security of the broader SaaS supply chain.
• Maintain the “Security Trust Center” documentation, keeping whitepapers and compliance certificates up to date.

Threat Monitoring & Penetration Testing

• Penetration Testing Coordination: Plan and oversee the annual schedule of external penetration tests (black box/gray box) for the SaaS platform and mobile applications. Engage and manage third-party ethical hacking firms.
• Vulnerability Management: Manage the internal vulnerability scanning program. Analyze reports, prioritize findings based on risk (CVSS), and enforce remediation SLAs with the DevOps/Engineering teams.
• Threat Surveillance: Monitor security information and event management (SIEM) tools for anomalies related to unauthorized data access or geographic login irregularities.
• AI-Enhanced Detection: Utilize AI-driven analytics to detect behavioral anomalies and reduce false positives in alert monitoring.
• Dynamic/Static Analysis: Coordinate DAST and SAST tool integration within the CI/CD pipeline to ensure code is tested before deployment.

Incident Response & Resilience

• Lead incident response efforts for data breaches, specifically handling breach notification timelines required by global regulators and client contracts.
• Post-Incident Review: Conduct “Lessons Learned” sessions following incidents to identify root causes.
• BCDR Planning: Oversee the maintenance of Business Continuity and Disaster Recovery plans.
• Testing & Validation: Coordinate and document the execution of annual Disaster Recovery tests and Tabletop Exercises (TTX).

Business Continuity & Disaster Recovery (BCDR)

• BCDR Planning: Oversee the maintenance of Business Continuity and Disaster Recovery plans.
• Testing & Validation: Coordinate and document the execution of annual Disaster Recovery tests and Tabletop Exercises (TTX).

Employee Awareness & Human Risk Management

• Conduct specialized training for staff on handling PII and financial data securely.
• Execute phishing simulations to test resilience against social engineering attacks (BEC/CEO fraud).
• Promote a “Security First” culture through internal newsletters and alerts.

Education and experience

• 3+ years of experience in Information Security, GRC, or IT Audit, preferably within a SaaS, Fintech, or Payroll provider.
• Deep understanding of PII protection and data classification standards.
• Proven experience managing or supporting SOC 2 or ISO 27001 audits.
• Experience with AI-driven security tools or GRC automation platforms.
• Experience responding to enterprise security questionnaires (e.g., SIG, CAIQ).
• Familiarity with global privacy laws (GDPR) and their impact on system architecture.
• Experience with Business Continuity Planning (BCP) and Disaster Recovery (DR) frameworks.
• Good verbal and written communication skills in English.

SMART Performance Goals:

Client Trust & Audit Readiness

• Specific: Streamline the response process for client security questionnaires. Create a centralized repository of pre-approved security answers.
• Measurable: Reduce the average turnaround time for client security questionnaires from 5 days to 2 days. Pass the SOC 2 surveillance audit with zero major non-conformities.
• Achievable: Collaborate with legal/sales and implement a knowledge base tool.
• Relevant: Impacts sales cycles and revenue retention.
• Time-bound: Q2/2025

Data Loss Prevention (DLP) Enhancement

• Specific: Conduct a comprehensive review of data egress points. Implement stricter DLP rules specifically targeting payroll files and banking formats.
• Measurable: Audit 100% of PII repositories. Reduce false-positive DLP alerts by 30%.
• Achievable: Utilize existing Cloud security licenses to configure advanced rules.
• Relevant: Critical to prevent data leaks and regulatory fines.
• Time-bound: Q2/2025

Phishing and Social Engineering (SaaS Targeted)

• Specific: Organize a company-wide awareness campaign focusing on “Business Email Compromise” (BEC). Execute simulated attacks.
• Measurable: Achieve 100% employee participation. Reduce click rates by 40%.
• Achievable: Use tools like PhriendlyPhishing.
• Relevant: Employee awareness is the first line of defense.
• Time-bound: Q2/2025

Business Continuity & Disaster Recovery (BCDR) Validation

• Specific: Plan and execute a formal “Tabletop Exercise” (TTX) simulating a major ransomware attack. Update the Business Impact Analysis (BIA).
• Measurable: Complete TTX with <3 critical gaps. Validate RTO of 4 hours.
• Achievable: Coordinate with DevOps/Cloud teams for a maintenance window test.
• Relevant: Validates resilience obligations in client contracts.
• Time-bound: Q3/2025

Automated Compliance & Control Monitoring

• Specific: Implement a continuous compliance monitoring platform (e.g., Vanta, Drata) to streamline evidence collection for ISO 27001 and SOC 2.
• Measurable: Automate collection of 80% of technical evidence. Reduce manual audit prep effort by 50%.
• Achievable: Integrate GRC tool with AWS/Azure, HRIS, and Github.
• Relevant: Reduces “audit fatigue” and ensures continuous audit readiness.
• Time-bound: Q4/2025

AI-Driven Security & Efficiency

• Specific: Research and deploy AI-based tools to augment security operations, specifically focusing on automated questionnaire completion and intelligent log analysis.
• Measurable: Reduce the time spent on manual RFP security answers by 60% using AI assistance. Implement at least one AI-driven alert rule that catches anomalies missed by static rules.
• Achievable: Pilot features within existing platforms (e.g., Copilot for Security, Loopio).
• Relevant: Leverages emerging technology to handle increasing workloads.
• Time-bound: Q4/2025