IT Risk and Compliance Analyst - Central Tech

Role Description

About the team:

Booking.com follows a defense in depth strategy for managing its risks. As part of this strategy, Booking has 3 departments focusing on each line of defense. Global Internal Audit (GIA) is responsible for the 3rd line of defense, Risk and Controls (R&C) is responsible for the 2nd line of defense, while the responsibility of 1st line has been distributed between process/control owners and the Trust, Risk, Assurance and Compliance (TRAC) team. TRAC is the first-line risk team responsible for Central Tech business unit risks and Security, Safety & Fraud (SS&F) risks across the company.

The IT Risk & Compliance Analyst for Central Tech is responsible for partnering with the platform and capability owners throughout the Central Tech business function to design and maintain IT security and compliance controls in line with our risk appetite and regulatory requirements and to maintain the quality of our processes. The role requires working closely with platform owners and development teams to have a solid high-level understanding of risks, while being able to zoom in and out of the details to ensure understanding of the solution design for designing effective controls.

Key job responsibilities and duties

Risk and compliance partnership

• Act as a Risk Partner to platform owners and development teams, providing expertise in NIST, SOX, PCI-DSS, NIS2 and security best practices and tailoring compliance requirements to cloud and devops environments.
• Architect “Guardrails” for secure and compliant onboarding to cloud environments, ensuring that security is “baked in” rather than “bolted on.”
• Provide right-sized advisory on control design, championing agile and scalable solutions that solve problems without overengineering, ensuring controls are effective but not obstructive.
• Bridge the gap between technical teams and audit functions, translating complex tech stacks into risk-based language for Internal/External Audit.

Risk assessments

• Execute technical risk assessments for new platforms and major architectural changes, identifying risks in modern tech stacks and supporting teams in implementing appropriate safeguards.
• Maintain the risk inventory by systematically tracking and monitoring identified issues originating from audits, penetration tests, and risk assessments to ensure Booking.com maintains a robust and resilient risk posture against current and emerging attack vectors.
• Perform root cause analysis on issues to identify systemic risks and propose structural improvements to the control framework.

Automation & continuous improvement

• Drive automation initiatives by identifying manual compliance bottlenecks and designing efficient workflows leveraging automation and AI.
• Unify control frameworks across various platforms to simplify compliance and reduce “compliance fatigue” for engineering teams.
• Enhance methodology by contributing to refinement of risk assessment procedures to keep pace with the dynamic nature of a high-growth tech environment.

Risk reporting & compliance execution

• Deliver data-driven risk insights by reporting on risk coverage and issues using tools like Jira and ServiceNow.
• Support audit readiness by ensuring that platform owners are prepared for regulatory cycles, walkthrough preparation and facilitation, coordinating evidence requests and drafting remediation & mitigation memos as needed, and aligning with engineering teams.

Tech business function and other business units

• Partner with risk owners by providing guidance and support in designing and implementing appropriate controls to strengthen the control environment, mitigate company risks, and support the business in achieving objectives.
• Identify control gaps based on identified risks.
• Facilitate and participate in cross-functional groups to implement or enhance controls in cross-functional processes.
• Support risk owners in standardizing & improving process and controls documentation.
• Support business functions and units in ongoing compliance with SOX, PCI, GDPR and other control areas.
• Conduct risk assessments and document the outcome and action plans.
• Maintain the domain control inventory and narratives for in-scope technologies; own day-to-day KTLO (issues, evidence requests, audit tasks, etc.).

Compliance, monitoring and assurance

• Inform of new IT control implementations for tracking and reporting.

Risk governance & projects

• Report the outcome of assessments for risk monitoring and reporting.

Subject matter experts (SMEs) e.g. Security, Fraud, Privacy, Legal, etc.

• Obtain guidance and support for the implementation of IT controls in different regulatory domains.

Internal & external audit

• Support internal and external audit engagements to ensure that remediation plans are implemented on a timely basis for any deficiencies found.
• Support SOX and PCI audit cycles.

Knowledge and skills

• Experience in cloud security and compliance (AWS, GCP, Azure, etc) and DevOps domain is a MUST.
• Familiarity/experience working with a wide range of technologies (internally developed applications, Windows, Linux, Databases, Gitlab, etc) from a risk and security perspective.
• Hands-on experience in business analysis, auditing, IT governance, risk management or internal controls.
• Ability to develop solid relationships with engineering teams in order to drive the adoption of the risk management culture.
• Technical understanding of internal control requirements and design, and experience in applying them in various businesses.
• Stay flexible to meet the dynamic business needs, while maintaining robust solutions that strengthen the IT control environment.
• Able to split large tasks into logical, manageable and decoupled actions which are managed effectively and delivered on time.
• Be flexible and agile in response to change in business, change in stakeholder expectations and/or change in regulatory/operating environment of B.com.
• Strong independent contributor, while still a strong team player.
• Previous experience in software development/software engineering is a plus.
• Strong communication skills; fully comfortable working in English, both written and spoken.

Benefits & perks - Global impact, personal relevance:

Booking.com’s Total Rewards Philosophy is not only about compensation but also about benefits. We offer a competitive compensation and benefits package, as well as unique-to-Booking.com benefits which include:

• Annual paid time off and generous paid leave scheme including: parent, grandparent, bereavement, and care leave.
• Hybrid working including flexible working arrangements, and up to 20 days per year working from abroad (home country).
• Industry leading product discounts - up to 1400 per year - for yourself, including automatic Genius Level 3 status and Booking.com wallet credit.
• Living and working in Amsterdam, one of the most cosmopolitan cities in Europe.
• Contributing to a high scale, complex, world renowned product and seeing real-time impact of your work on millions of travelers worldwide.
• Working in a fast-paced and performance driven culture.
• Opportunity to utilize technical expertise, leadership capabilities and entrepreneurial spirit.
• Promote and drive impactful and innovative engineering solutions.
• Technical, behavioral and interpersonal competence advancement via on-the-job opportunities, experimental projects, hackathons, conferences and active community participation.
• Competitive compensation and benefits package and some great added perks of working in the home city of Booking.com.