Carmax Veterans Jobs

Job Information

CARMAX Principal IT Compliance Analyst in Richmond, United States

8901 - Corp Office West Crk - 12800 Tuckahoe Creek Parkway, Richmond, Virginia, 23238

CarMax, the way your career should be!

Do you want to play a key role in enhancing the Cybersecurity program for a Fortune 200 company and national brand that has also been listed on the Fortune 100 Best Places to Work? Do you enjoy working in a collaborative environment where your ideas can help shape the direction and development of critical cybersecurity capabilities?

Do you want to work with a team of talented professionals that have in-depth technical knowledge and be the subject matter expert in technology compliance governance and audit compliance?

Then your job search begins and ends here….

Who we are looking for:

The Principal Compliance Analyst should have in-depth knowledge of and be the subject matter expert in compliance management, information security controls, and auditing for compliance. This is a unique opportunity at a Fortune 200 company and national brand to expand your skills and influence in the Cybersecurity Program. As the Principal Compliance Analyst, you will be responsible for establishing and maintaining the compliance management framework and processes in line with regulatory requirements as well as industry standard frameworks. You will work with the Technology management teams to evaluate controls, conduct compliance reviews (audits) of key controls within technology, report results and track issues, and monitor the remediation/mitigation plans to address identified issues. In addition, this hands-on role serves as a controls and compliance expert: taking an advice and counsel role with business and control owners and assisting with compliance-related activities. You will provide compliance consulting direction on cross functional projects and ensure compliance with policies, procedures, leading practices, access control, asset classification, data privacy, architecture and compliance with company security, compliance standards and regulatory obligations.

The Day to Day:

  • Responsible for the design, develop and maintenance of the framework for Technology Compliance management including validation and classification methods.

  • Plan, design and execute compliance testing, controls assessment and documentation across all domains for IT General Controls, (PCI DSS) Payment Card Industry, Data Privacy, HIPAA and other compliance requirements, as appropriate

  • Develop related processes and procedures to ensure and enforce compliance with all company policies, applicable laws, and regulatory requirements regarding information security, privacy, and data integrity as well as reducing risk.

  • Serve as trusted advisor and technology key controls subject matter expert; partner to evaluate the design and effectiveness of the control environment, both operational and technical; to develop trending for remediation efforts and overall compliance with regulatory and operational standards, and to build compliance programs including detailed exception reporting and complex configuration monitoring requirements

  • Lead information security key control validation to identify control risks, analyze root causes and trends in potential control weaknesses andrecommend new controls to meet compliance standards where applicable

  • Partner and facilitate internal and external audits within the technology teams

  • As an integral member of the team, exhibiting ownership, follow through, initiative, awareness and effective communication with peers and management and ability to speak to details of compliance

  • Consistently shows the ability to provide mentorship and support professional develop opportunities that promote individual growth and foster organizational maturity

  • Champions technical compliance with cybersecurity related regulatory requirements (PCI, SOX, PII, NYDFS, HIPAA, etc)

Technology Compliance Methodology:

  • Ability to understand business requirements, help design and implement industry standard Compliance management practices across all supported technology environments

  • Champion of Technology Compliance methodology by demonstrating ownership of the design aspects of the operations lifecycle

  • Passionate about continuous improvement and ownership of controls across systems and processes

  • Understand level of Compliance and exposure as it relates to systems, services and networks.

  • Ability to develop and deliver compliance training and awareness type activities with proven results across all domains.

  • Maintain a strong knowledge base and awareness of industry and technology trends, external regulations for new or changed requirements within technology and identify industry standards for core processes (e.g. NiST, PCI, ITIL, data privacy etc.)


  • Able to influence the compliance direction of others within the Compliance standards and guidance.

  • Proven ability to effectively communicate remediation and prevention approaches via leading practices.

  • Ability to develop and deliver training needed to achieve business understanding of compliance for business partners, engineers, developers and analyst.

  • Ability to build relationships that help overcome obstacles and time constraints to successfully deliver remediation to completion.

  • Collaborate with Audit, Privacy and Legal departments for assessment improvements.

Here's the technology part…

Experience with the following required:

  • Strong understanding of key compliance regulations such as Sarbanes-Oxley, GLBA, HIPPA and Payment Card Industry (PCI)

  • An ability to stay abreast of industry trends and emerging threats while also keeping a keen eye to changing external regulations within technology and how we can modify standards from core compliance processes.

  • Experience in design and implementation of an enterprise Compliance Governance framework, including the identification, assessment and mitigation of Compliance exposure while understanding how to balance the companies Compliance appetite and its overall impact

  • Must have detailed knowledge and experience with IT General Controls across all domains and Operational testing procedures as it pertains to SOX, PCI and privacy

  • Demonstrated ability to assess alternative technology Compliance approaches and methodologies while assessing Compliance both quantitatively and qualitatively to meet the business needs

  • Proven ability to effectively communicate risks and influencing without authority to gather test evidence and translate compliance findings into actions

  • Able to assess, identify, and document third party system compliance deficiencies and recommends solutions.

  • Excellent communication skills and a keen ability to facilitate group discussions with diplomacy and seek diverse opinions

  • Desire to keep current with technology and emerging technology compliance trends.

  • Possess strong organization and time management skills.

Education and/or Experience:

  • BS Degree in Technology, Computer Science or Business, with solid IT audit or compliance management experience.

  • In depth knowledge of information security, Technology Compliance management industry frameworks and standards such as NIST, OWASP, SANS, ISO-27001/2, SANS, Cobit and ITIL.

  • 8+ years working experience with enterprise compliance and risk management programs, privacy, data security and control issues across Cloud and on-premise technology and services.

  • Previous working experience and knowledge of two or more security functions (Compliance Assessor, QSA, Security Specialist, IT Auditor)

  • Dedication and commitment to top-quality service and to exceeding customer expectations

  • Demonstrated leadership - ability to gain consensus across teams without direct reporting responsibility.

  • Desire to keep current with technology and client industry

  • Possession of CISA , Required

  • CRISC, CIA, CISM, CISSP, PCI - Desired

Upon an applicant's request, CarMax will consider reasonable accommodation to complete the CarMax Job Application .

If you have technical problems when submitting your application, please contact us by phone (888) 922-7629 ext. 3888 or email

CarMax disrupted the auto industry by delivering the honest, transparent and high-integrity experience customers want and deserve. This innovative thinking around the way cars are bought and sold has helped us become the nation’s largest retailer of used cars, with over 200 locations nationwide.

Our amazing team of more than 25,000 associates work together to deliver iconic customer experiences. Along the way, we help every associate grow their career and achieve their best, at work and in their community. We are recognized for our commitment to training and diversity and are one of the FORTUNE 100 Best Companies to Work For®.

Copyright © CarMax | Privacy Policy | Accessibility | Sitemap