We started MedMen with a simple vision; cannabis as a consumer product. It is a simple idea with profound consequences for how marijuana is cultivated, produced and marketed. Quality standards matter, best practices matter, brand reputation matters. Today, MedMen is the most dominant cannabis enterprise in the emerging legal marijuana industry.
MedMen's Information Security team is seeking an experienced security engineer who specializes in data privacy, data protection, and privacy laws. The successful Privacy Engineer candidate has helped fast-paced companies maintain compliance with the security and privacy provisions of regulations like GDPR, HIPAA, and state privacy laws, and is well-versed in best practice frameworks like NIST, PCI, OWASP, COBIT, or similar. The ideal candidate is also an effective security engineer with strong communication skills to strengthen the data protection language of legal contracts, give live trainings to non-technical teams on security, and mentor I.T. staff on security best practices.
* Serves as Subject Matter Expert on MedMen data privacy, data protection, and data compliance, advising on projects across the enterprise to ensure they remain compliant with best practices and state and federal laws
* Builds and maintains an inventory of all confidential data, including consumer PII and company secrets in cloud, corporate, retail, manufacturing, and vendor systems and facilities
* Assesses and hardens the security of confidential data in application, mobile, database, cloud, and vendor environments through discovery, collaboration, penetration testing, tracing and reverse engineering, and mitigation
* Identifies gaps in the security language of vendor legal contracts and privacy policies, and makes written improvements
* Keeps teams aware of new developments in data privacy and protection laws nationwide to ensure MedMen remains a leader in consumer data privacy and data compliance
* Leads audit exercises to ensure data privacy and protection policies are being observed enterprise-wide
* Independently researches, plans, and leads security privacy and engineering projects across all security domains, including application and database security, cloud and network security, access controls, firewalls, encryption, and data loss prevention (DLP), with a special focus on data privacy and protection
* Helps manage vulnerabilities, including risk ranking using common threat risk models, and remediation efforts
* Analyzes and reports on MedMen data privacy and protection metrics and trends
* Actively expands security awareness of data privacy and protection best practices and MedMen security protocols across I.T. and the company
* Contributes to MedMen's written security standards and protocols
* Mentors analysts, engineers, developers, infrastructure engineers, and project managers on data privacy and protection
* Remains aware of emerging Information Security trends, threats, and technologies, especially in the data privacy and protection space
* Bachelor's degree in Computer Science or related field, or applicable experience
* One or more advanced Information Security certifications, such as CIPP, CIPM, CIPT, CISSP, CCSP, CEH, GPEN, or equivalent
* Minimum 6 years experience in security engineering, with a demonstrated focus on data privacy and related laws, data protection, data discovery, data loss prevention (DLP), vendor security assessments, and/or vendor legal contracts
* Minimum 3 years experience researching, decomposing, and enforcing data privacy and protection laws, such as GDPR, HIPAA, PCI, and/or state laws
* Skillful verbal and written communication tailored to appropriate audiences
* Ability to identify security language gaps in legal contracts, and recommend written improvements
* Hands-on web, application, database, network, and cloud penetration experience using commercial and open source tools
* In-depth knowledge of common security best practice frameworks, such as NIST 800-53
* Hands-on experience with encryption (e.g., SSL/TLS, X.509 certs, PKI, symmetric)
* Prior experience with common network protocols, including TCP, HTTP, and DNS
* Strong knowledge of common web, application, and network attacks, plus defenses recommended by best practice bodies such as OWASP
* Ability to score and rank vulnerabilities using one or more common risk models
* Knowledge of Secure SDLC best practices
* Knowledge of data Loss Prevention (DLP) methods and tools
* Hands-on experience hardening or administering Azure and/or AWS
* Experience hardening Windows Active Directory
* Experience with database administration and/or SQL
* Knowledge of Intrusion Detection/Prevention Systems (IDS/IPS)
* Knowledge of SIEM tools (e.g., syslog, Splunk, QRadar)
* Skills across manual penetration testing methods
* Skills developing code in compiled or scripting languages (e.g., .Net, Python, PHP, shell)
This position has no supervisory responsibilities.
This job operates in a professional corporate setting. This role routinely uses standard office equipment such as computers, phones, photocopiers, filing cabinets and fax machines.
While performing the duties of this job, the employee is occasionally required to stand; walk; sit; use hands to finger, handle, or feel objects, tools or controls; reach with hands and arms; climb stairs; talk or hear. The employee must occasionally lift or move office products and supplies, up to 20 pounds.)
(Note: The Company complies with the Americans with Disabilities Act (ADA), as amended by the ADA Amendments Act (ADAAA), and all applicable state and local fair employment practices laws, and is committed to providing equal employment opportunities to qualified individuals with disabilities. Consistent with this commitment, the Company will provide a reasonable accommodation to disabled applicants and employees if the reasonable accommodation would allow the individual to perform the essential functions of the job, unless doing so would create an undue hardship.)
May require occasional travel, up to 10%.
Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities and activities may change at any time with or without notice.
Work Authorization/Security Clearance
There is no visa or H1-B sponsorship.
MedMen Is An Equal Opportunity Employer
Individuals seeking employment at MedMen are considered without regards to race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity or expression, sexual orientation, or any other basis protected under federal, state or local laws.
MedMen is engaged in cannabis cultivation, manufacturing, and retail.