Apply on Employer Site

CarMax · 1 month ago

Principal Analyst, Technology Compliance

Corporate - Richmond

Full-time

Hybrid

Senior Level, Lead/Staff

7+ years exp

CarMax is the nation’s largest retailer of used cars, known for delivering transparent and high-integrity customer experiences. They are seeking a Principal Technology Compliance Analyst who will be responsible for establishing and improving compliance management frameworks, conducting audits, and collaborating with technology teams to ensure adherence to regulatory requirements and industry standards.

AutomotiveMarketplaceOnline Portals

No H1B

Responsibilities

Design, implement, and maintain enterprise-wide General IT Controls (GITCs) and compliance frameworks aligned with regulatory requirements (PCI DSS, SOX, HIPAA, Data Privacy, etc.)

Develop and enforce processes and procedures to ensure adherence to company policies, laws, and industry standards (e.g., NIST, ITIL)

Influence compliance strategy and direction within established standards and guidance

Plan and execute compliance testing, control assessments, and documentation for technology environments

Validate key controls, identify risks, analyze root causes, and recommend improvements to meet compliance standards

Communicate remediation and prevention strategies using leading practices and drive completion of corrective actions

Facilitate internal and external audits across technology teams

Collaborate with GRC teams to strengthen assessment processes

Serve as a trusted advisor and subject matter expert for technology controls

Maintain strong knowledge of industry trends, regulations, and emerging standards

Assess, design, and implement technical improvements to control testing processes leveraging automation, AI, etc

Develop and deliver compliance training and awareness programs across all domains

Mentor team members and support professional development to foster organizational maturity

Qualification

Compliance ManagementIT AuditRisk ManagementInformation SecurityCISA CertificationSOX ComplianceData PrivacyNIST StandardsEffective CommunicationFacilitation SkillsOrganizational SkillsLeadership Skills

Required

Degree in Technology, Computer Science, or Business, with solid IT audit or compliance management experience or equivalent work experience

7+ years of experience with enterprise compliance, audit, and/or risk management programs, privacy, data security, and control issues across cloud and on-premises environments

Strong understanding of key compliance regulations (Sarbanes-Oxley, GLBA, HIPAA, PCI)

Ability to stay abreast of industry trends, emerging threats, and changing external regulations, and adapt core compliance processes accordingly

Experience in designing and implementing enterprise Compliance Governance frameworks, including identification, assessment, and mitigation of compliance exposure

Detailed knowledge and experience with IT General Controls and operational testing procedures for SOX, PCI, and privacy

Ability to assess alternative compliance approaches and methodologies, both quantitatively and qualitatively, to meet business needs

Effective communication skills to convey risks, gather test evidence, and translate compliance findings into actionable steps

Ability to assess, identify, and document third-party system compliance deficiencies and recommend solutions

Excellent facilitation skills for group discussions, diplomacy, and seeking diverse opinions

Strong organizational and time management skills

In-depth knowledge of information security, compliance management frameworks, and standards (NIST, OWASP, SANS, ISO-27001/2, COBIT, ITIL)

Commitment to top-quality service and exceeding customer expectations

Demonstrated leadership and ability to gain consensus across teams without direct reporting responsibility

Possession of CISA certification (required)