• Help healthcare organizations solve challenges through strategic process improvement • Manage complex projects • Strengthen team collaboration and drive innovations in healthcare IT • Use honesty and candor to provide straightforward truths and conversations with clients

Position Responsibilities: - Coordinate internal and external assessments by gathering documentation, tracking action items, and facilitating communication between stakeholders across Security, IT, Legal, and business units - Track and drive awareness of compliance findings by maintaining documentation, following up with responsible parties, and updating status reports - Manage intake and response processes for customer security questionnaires and external assessments, ensuring timely and accurate submissions - Support day-to-day security compliance activities by assisting with the validation of technical and procedural controls across infrastructure, systems, and user access to ensure alignment with organizational security requirements and standards - Assist in building and documenting security compliance processes that are tool-agnostic, with an emphasis on automation, scalability, and adaptability to evolving GRC platforms or technologies - Assist in conducting control assessments and evaluations to support compliance with internal policies and external frameworks such as CIS, ISO, and NIST - Travel occasionally based on business needs - Other projects or duties as assigned Required Education and Experience: - Bachelor's Degree and 2 to 4 years of experience working in a security-focused compliance role or High School Diploma/General Education Degree (GED) and 5 to 7 plus years of experience working in a security role involving risk assessment and/or security compliance/testing. - Ability to communicate complex security and compliance concepts to a wide range of stakeholders—from technical teams and individual contributors to senior leadership—tailoring messaging to suit the audience’s level of expertise and decision-making needs. Reyes Holdings values a culture of collaboration and synergy amongst technical and non-technical teams. Preferred Education and Experience: - Experience with security and compliance frameworks such as CIS Critical Security Controls, ISO 27001, SOC 2, NIST 800-53, ISA/IEC 62443. - Participation in internal or external audits, including evidence collection, remediation tracking, and audit readiness activities. - Experience with GRC platforms for managing compliance workflows, evidence & issue tracking, and reporting. - Experience with Operational Technology (OT) and/or Cloud environments. - Familiarity with data visualization or reporting tools (e.g., Power BI, Tableau, Alteryx, Excel) to support compliance reporting. - Understanding of identity and access management (IAM) concepts, including user access review and account lifecycle governance. - Industry certifications: Security+, SSCP, ISC2 CC, CISA, CRISC, CISSP, or another equivalent are a plus. Benefits At the Reyes Family of Businesses, our Total Rewards Strategy prioritizes the holistic well-being of our employees. This position offers a comprehensive benefits package that includes Medical, Dental, Vision coverage, Paid Time Off, Retirement Benefits, and complimentary Health Screenings. Equal Opportunity Employee & Physical Demands Reyes Holdings and its businesses are equal opportunity employers. Company policy prohibits discrimination and harassment against any applicant or employee based on race, color, religion, sex, pregnancy or pregnancy-related medical conditions, marital status, sexual orientation, gender identity or expression, age, national origin, citizenship, disability, genetic information, military or veteran status, or any other basis protected by applicable law. In addition, the Company is committed to providing reasonable accommodation to applicants and employees in accordance with applicable law. Requests for accommodation should be directed to your point of contact in the Talent Acquisition or Human Resources departments. Background Check and Drug Screening Offers of employment are contingent upon successful completion of a background check and drug screening. Pay Transparency Our compensation philosophy embraces diverse factors for fair pay decisions, valuing skills, experience, and the needs of our business. Moreover, this role may have the opportunity to participate in a discretionary incentive program, subject to program rules.

Welcome to the Agentic Commerce Era At Commerce, our mission is to empower businesses to innovate, grow, and thrive with our open, AI-driven commerce ecosystem. As the parent company of BigCommerce, Feedonomics, and Makeswift, we connect the tools and systems that power growth, enabling businesses to unlock the full potential of their data, deliver seamless and personalized experiences across every channel, and adapt swiftly to an ever-changing market. Simply said, we help businesses confidently solve complex commerce challenges so they can build smarter, adapt faster, and grow on their own terms. If you want to be part of a team of bold builders, sharp thinkers, and technical trailblazers, working together to shape the future of commerce, this is the place for you. As a Senior Security GRC Analyst and Internal Security Assessor (ISA), you will serve as the primary Subject Matter Expert (SME) for our global PCI DSS program at Commerce. We operate a highly mature PCI DSS 4.0 environment; your mission is to lead the continuous evolution of this program, ensuring that compliance is integrated into our "business as usual" (BAU) operations. While your primary focus is PCI, you will be a key player in our broader GRC function, supporting our SOC2 and ISO 27001 certifications. You will act as the technical bridge between our Engineering, Infrastructure, and IT teams and external auditors, ensuring that our high-security standards are documented, validated, and maintained. What You'll Do: PCI SME & Internal Security Assessor (ISA) - ISA Leadership: Serve as the officially designated PCI ISA for the organization. Manage the annual assessment lifecycle, including scoping, evidence collection, and validation of controls. - PCI 4.0 Evolution: Direct the ongoing maintenance of our PCI 4.0 program, with a specific focus on managing Targeted Risk Analyses (TRAs) and the customized approach where applicable. - Scoping & Segmentation: Partner with Cloud Engineering to validate PCI scope across our global footprint, ensuring effective network segmentation and data flow isolation. - QSA Liaison: Act as the primary point of contact for our external QSA, defending our control environment and streamlining the audit process to minimize disruption to technical teams. - Continuous Compliance: Operationalize PCI requirements (e.g., quarterly scans, penetration test remediation) into automated workflows. Multi-Framework Audit Management - Unified Control Framework: Support the broader GRC team in managing our SOC2 Type 2, ISO 27001, and other regulatory audits (as seen on https://www.google.com/search?q=security.commerce.com). - Technical Advisory: Provide GRC perspective on architectural designs, product launches, and infrastructure changes to ensure "compliance by design." - Remediation Management: Track and drive the remediation of audit findings and security gaps, working closely with asset owners to find pragmatic, secure solutions. Who You Are: - Experience: 6+ years in an Information Security or IT Audit role, with at least 3 years of deep focus on PCI DSS within a major cloud-native environment. - Certification: Active PCI ISA (Internal Security Assessor) or PCI QSA certification is mandatory. - Regulatory Expertise: Thorough understanding of PCI DSS 4.0 requirements and the practical application of the standard in modern environments. - Audit Fluency: Proven experience leading Level 1 Service Provider assessments. - Communication: Ability to explain complex compliance requirements to developers and business leaders in a way that emphasizes enablement rather than "blockage." Preferred Qualifications - Broad Framework Knowledge: Experience with SOC2 and ISO 27001:2022. - Cloud Security: Experience with GRC automation and familiarity with modern cloud-native security and observability tools. - Automation Mindset: Experience using GRC platforms and a desire to automate manual evidence collection to reduce audit fatigue. About You - You understand the "Why": You don't just "do compliance"; you understand the security intent behind every control and can help teams meet the requirement in a way that actually improves our security posture. - Technical Curiosity: You are comfortable diving into technical configurations (IAM policies, VPC flow logs, etc.) to verify control effectiveness yourself. - Adaptable: You enjoy the challenge of a high-paced environment where scale and security must coexist and evolve together. #LI-KE1 #LIHYBRID (Pay Transparency Range: $88,951.00 - $150,432.00) The exact salary will be dependent on the successful candidate’s location, relevant knowledge, skills, and qualifications. Inclusion and Belonging At Commerce, we believe that celebrating the unique histories, perspectives and abilities of every employee makes a difference for our company, our customers and our community. We are an equal opportunity employer and the inclusive atmosphere we build together will make room for every person to contribute, grow and thrive. We will ensure that individuals with disabilities are provided reasonable accommodation to participate in the interview process, to perform essential job functions and to receive other benefits and privileges of employment. If you need an accommodation in order to interview at Commerce, please let us know during any of your interactions with our recruiting team. Learn more about the Commerce team, culture and benefits at https://www.commerce.com/careers/ Protect Yourself Against Hiring Scams: Our Corporate Disclaimer Commerce, along with many other employers, has become the subject of fraudulent job offers to hopeful prospective job seekers. Be advised: Commerce does not offer jobs to individuals who do not go through our formal hiring process. Commerce will never: - require payment of recruitment fees from candidates; - request personally identifiable information through unsanctioned websites or applications; - attempt to solicit money from you as part of the hiring process or as part of an employment offer; - solicit money to complete visa requirements as part of a job offer. If you receive unsolicited offers of employment from Commerce, we urge you to be extremely cautious and avoid engaging or responding.

• Be an initial evaluation point for all security-related tickets that come into the team's multiple queues (including triage, containment, and remediation) • Understand the basic incident response lifecycle • Excel at documentation and detailed notetaking, including SOP writing, incident reporting, email and instant messaging etiquette, and most importantly, documenting incident actions • Collect and analyze log data from complex, virtualized, multi-site computing environments and SNHU's technology ecosystem • Conduct real-time monitoring of security events from multiple sources and use analytical and problem-solving skills to identify, triage, analyze, investigate, and escalate information security events and alerts • Analyze digital evidence to identify indicators of compromise, adversary activity, root cause, incident timelines, and attack vector(s) • Perform incident response activities like endpoint isolation, malware remediation, forensic analysis, malware analysis, community member interviews, and network traffic analysis • Perform investigation and escalation for complex or high severity security threats or incidents • Coordinate information security incident response according to SNHU's Information Security Incident Response Plan • Communicate with partners, in a non-technical manner, at all organizational levels as part of incident response and remediation activities • Design and implement or monitor information security incident remediation plans • Design and manage security tools (e.g. Splunk, Halcyon, Microsoft Defender, Tenable) • Design, deploy, and manage detections and alerts for specific or common threat conditions • Design and implement standard operational processes for handling common incident types • Maintain automation scripts and other tools to enhance security operations efficiency • Familiarity with enterprise security tools like Splunk, Tenable, Proofpoint tools, Microsoft Defender components, Office 365 tools, PowerShell, and multiple network tools • Demonstrate a deep source of ethics, integrity, and confidentiality • Can remain calm and function at the highest level during a crisis • Remain up to date on latest threat intelligence • Develop strategies and solutions that improve or mitigate the risks associated with these threats • Work cross-functionally across ITS and all SNHU departments to provide guidance, and technical implementations to include triage, containment, and remediation when applicable • Provide customer support according to SNHU's Core Values and understand how and when to escalate potential issues • Help with risk management, vulnerability management, security assessment, auditing, and security authorization projects, as directed by the university's Information Security Management team • Provide mentoring to junior analysts • Other responsibilities as assigned