Note: The job is a remote job and is open to candidates in USA. UP.Labs is a venture studio that builds and launches vertical AI enterprise SaaS companies with corporate partners in transportation, mobility, logistics, and industrial markets. They are seeking a Senior Security Controls & Compliance Engineer to build, implement, and operate the security control foundation across multiple venture applications, ensuring readiness for SOC 2 compliance and supporting enterprise customer security requirements.
Responsibilities
- Build, implement, and operate security and compliance controls across multiple venture applications and supporting systems
- Translate enterprise customer security, data handling, and TPRM requirements into practical technical controls, operational workflows, evidence requirements, and remediation plans
- Create a reusable security control baseline that can be applied across current and future venture applications
- Select, configure, and operate a compliance automation platform (evaluating options such as Vanta, Drata, or Secureframe), including evidence integrations across cloud, GitHub, identity providers, ticketing, device management, and productivity tools
- Implement identity and access controls: SSO, MFA, role-based access, least privilege, access review workflows, and offboarding evidence
- Implement secure SDLC controls: branch protection, required code reviews, code scanning, dependency scanning, secret scanning, vulnerability management, and release/change management evidence
- Implement cloud security controls: IAM policies, encryption settings, logging, monitoring, backups, network restrictions, and security alerting
- Implement operational security workflows: vendor review, risk review, change management, policy attestation, incident response evidence, exception tracking, and recurring control reviews
- Maintain a centralized control library mapped to SOC 2 Trust Services Criteria, customer-specific requirements, and relevant frameworks (ISO 27001, NIST CSF, CIS Controls)
- Support SOC 2 readiness end to end: control mapping, evidence requirements, gap tracking, audit prep, and control verification
- Identify launch-blocking security gaps and close them directly where possible
- Partner with product engineering only where application-specific code, architecture, or deeper infrastructure changes are required, writing clear technical requirements and acceptance criteria for that work
- Support customer security questionnaires, audits, evidence requests, and enterprise security reviews with accurate technical detail
- Track control gaps, remediation status, launch blockers, and compliance risk for leadership
- Produce a repeatable security implementation playbook that future ventures can inherit, and support the handoff of a venture's security posture when it spins out
Skills
- 7+ years in security engineering, cloud security, DevSecOps, security operations, security compliance, or GRC, including hands-on control implementation in cloud/SaaS environments
- At least one full SOC 2 readiness-through-audit cycle owned or driven end to end
- Demonstrated ability to configure and operate security and compliance systems directly, not just document requirements
- Strong command of security controls, audit evidence, policy requirements, control testing, and control operation
- Proven experience translating enterprise customer security requirements into practical technical controls
- Hands-on experience with identity and access controls (SSO, MFA, RBAC, least privilege, access reviews, offboarding)
- Hands-on experience with secure SDLC controls (source control permissions, code review, branch protection, vulnerability management, dependency and secret scanning, change management evidence)
- Hands-on experience with cloud security controls (IAM, encryption, logging, monitoring, backups, network restrictions, alerting)
- Experience standing up and operating a compliance automation / GRC platform (e.g., Vanta, Drata, Secureframe) from scratch
- Familiarity with our core stack: GitHub, Jira or Linear, Okta, Google Workspace, Slack, and a major cloud provider (AWS, Azure, or GCP)
- Strong written communication for policies, procedures, audit documentation, technical requirements, and customer-facing security responses
- Ability to operate independently in an ambiguous, fast-moving venture environment and deliver on a compressed timeline
- Experience supporting enterprise customers with strict security, data handling, or TPRM requirements
- Experience in venture-backed startups, enterprise SaaS, or venture studio environments
- Experience carving a company's security posture out of a parent or shared-services environment during a spin-out or standalone build
- Familiarity with SOC 2 Trust Services Criteria, ISO 27001, NIST CSF, or CIS Controls
- Experience with GitHub security features, CI/CD security controls, vulnerability management tools, and cloud security monitoring
- Relevant certifications: CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer, AWS Security Specialty, or Security+
Company Overview