Booking Holdings Romania - It Risk & Compliance Analyst

Booking · Hospitality · Bucharest, Romania · Security & Infrastructure

This role focuses on IT risk and compliance within the Central Tech business unit, partnering with platform and development teams to design and maintain IT security and compliance controls. It involves leading risk assessments, driving automation initiatives (leveraging AI where possible), and ensuring adherence to regulations like PCI-DSS, NIST, SOx, and NIS2. The role requires bridging the gap between technical teams and audit, and reporting on risk insights.

What you'd actually do

Act as a Risk Partner to platform/service owners and development teams, providing expertise guidance with regards to PCI-DSS, NIST, SOx, NIS2 and general security best practices and tailoring compliance requirements to cloud and devops environments.
Architect "Guardrails" for secure and compliant onboarding to solutions and services, ensuring that security and compliance is "baked in" rather than "bolted on."
Lead/perform Risk Assessments for new services and/or major architectural changes to existing services or solutions. Assist teams in identifying risks and supporting them in implementing appropriate controls and safeguards.
Drive Automation Initiatives by identifying manual compliance bottlenecks and designing efficient workflows leveraging automation and AI whenever possible.
Deliver Data-Driven Risk Insights by reporting on risk coverage and issues using internal tools like Jira and ServiceNow.

Skills

Required

Experience in assisting and managing a PCI DSS program, scope and controls including mapping to PCI Requirements 1–12 and ensuring ongoing PCI compliance across in-scope endpoints, systems, and processes.
Lead risk assessments in identifying gaps and drive risk-based remediation, vulnerability management, and evidence collection for audits.
Design, implement, and maintain internal controls (technical and administrative) aligned with risk appetite and regulatory expectations; monitor control effectiveness.
Drive continuous improvement, third-party PCI risk management, audit readiness, risk reporting (KPI/dashboards), and foster PCI awareness across engineering and business teams.
Hands-on experience in business analysis, auditing, IT governance, risk management or internal controls with PCI context.
Ability to develop solid relationships with engineering/application teams in order to drive the adoption of a risk management culture.
Technical understanding of internal control requirements and able to design/apply them in various businesses.
Ability to split large tasks into logical, manageable and decoupled actions which are managed effectively and delivered on time.

Nice to have

Cloud Security and compliance experience (AWS, Azure, etc)
Familiarity with a wide range of technologies (internally developed applications, Windows, Linux, Databases, Gitlab, etc) from a risk and security perspective.

What the JD emphasized

PCI-DSS
NIST
SOx
NIS2
security best practices
cloud and devops environments
secure and compliant onboarding
security and compliance is "baked in"
Right-Sized Advisory
control design
agile and scalable solutions
technical and audit teams
complex tech or application stacks
risk-based language
Internal/External Audit
Risk Assessments
new services
major architectural changes
existing services or solutions
identifying risks
implementing appropriate controls and safeguards
Risk Inventory
Systematically track and monitor identified issues
audits
penetration tests
risk assessments
robust and resilient risk posture
current and emerging attack vectors
Root Cause Analysis
systemic risks
control framework
Automation Initiatives
manual compliance bottlenecks
efficient workflows
automation and AI
Standardize controls
compliance fatigue
engineering teams
Enhance Methodology
risk assessment procedures
dynamic nature
high-growth tech environment
Data-Driven Risk Insights
risk coverage
issues
Jira
ServiceNow
Audit Readiness
regulatory cycles
walkthrough preparation and facilitation
coordinating evidence requests
drafting remediation & mitigation memos
engineering teams
PCI DSS program
scope and controls
PCI Requirements 1–12
ongoing PCI compliance
in-scope endpoints, systems, and processes
Lead risk assessments
identifying gaps
risk-based remediation
vulnerability management
evidence collection for audits
Design, implement, and maintain internal controls
technical and administrative
risk appetite
regulatory expectations
monitor control effectiveness
continuous improvement
third-party PCI risk management
audit readiness
risk reporting (KPI/dashboards)
foster PCI awareness
engineering and business teams
Cloud Security and compliance experience
AWS, Azure
wide range of technologies
internally developed applications
Windows, Linux, Databases, Gitlab
risk and security perspective
Hands-on experience
business analysis
auditing
IT governance
risk management
internal controls
PCI context
develop solid relationships
engineering/application teams
adoption of a risk management culture
Technical understanding
internal control requirements
design/apply them in various businesses
split large tasks
logical, manageable and decoupled actions
managed effectively
delivered on time
flexible and agile
change in business

Read full job description

Booking Holdings Romania is a Center of Excellence based in Bucharest, Romania and was created to support the increasing business demands of the Booking Holdings Brands. The Center of Excellence provides access to specialized and highly skilled talent, leading industry best practices, and collaboration opportunities across all of our Brands.

As part of our Booking Holdings Romania team, you will have the opportunity to be a part of the world’s leading provider of online travel, with a mission of making it easier for everyone to experience the world through five-primary consumer facing brands: Booking.com, Priceline, Agoda, KAYAK and OpenTable.

Role description

Booking.com follows a defense in depth strategy for managing its risks. As part of this strategy, we have 3 departments focusing on each line of defense. Global Internal Audit (GIA) is responsible for the 3rd line of defense, Risk and Controls (R&C) is responsible for the 2nd line of defense, while the responsibility of the 1st line has been distributed between process/control owners and the Risk & Control (R&C) team.

(R&C) is the first-line risk team responsible for Central Tech business unit risks and Security, Safety & Fraud (SS&F) risks across the company. The IT Risk & Compliance Analyst for Central Tech is responsible for partnering with the platform and capability owners throughout the Central Tech business function to design and maintain IT security and compliance controls in line with our risk appetite and regulatory requirements and to maintain the quality of our processes.

The role requires close collaboration with platform owners and development teams to have a solid high level understanding of the risks and environment while diving into the details as required to understand the solution design and designing effective controls.

This role provides a hybrid way of working with an onsite presence of 2 days/week.

Key Job Responsibilities and Duties** **

Risk and Compliance Partnership

Act as a Risk Partner to platform/service owners and development teams, providing expertise guidance with regards to PCI-DSS, NIST, SOx, NIS2 and general security best practices and tailoring compliance requirements to cloud and devops environments.
Architect "Guardrails" for secure and compliant onboarding to solutions and services, ensuring that security and compliance is "baked in" rather than "bolted on."
Provide Right-Sized Advisory on control design, promoting agile and scalable solutions that address any risks without overengineering and ensuring controls are effective and not obstructive.
Bridge the Gap between technical and audit teams; working with platform/service teams to translate complex tech or application stacks into risk-based language for Internal/External Audit.

Risk Assessments

Lead/perform Risk Assessments for new services and/or major architectural changes to existing services or solutions. Assist teams in identifying risks and supporting them in implementing appropriate controls and safeguards.
Maintain the Risk Inventory. Systematically track and monitor identified issues originating from audits, penetration tests, and/or risk assessments to ensure Booking.com maintains a robust and resilient risk posture against current and emerging attack vectors.
Work with teams to Perform Root Cause Analysis on issues to identify systemic risks and drive improvements to the control framework.

Automation & Continuous Improvement

Drive Automation Initiatives by identifying manual compliance bottlenecks and designing efficient workflows leveraging automation and AI whenever possible.
Standardize controls across platforms to simplify compliance and reduce "compliance fatigue" for engineering teams.
Enhance Methodology: Contribute to the refinement of risk assessment procedures to keep pace with the dynamic nature of a high-growth tech environment.

Risk Reporting & Compliance Execution

Deliver Data-Driven Risk Insights by reporting on risk coverage and issues using internal tools like Jira and ServiceNow.
Support Audit Readiness by working with platform/service owners to ensure they are prepared for regulatory cycles, walkthrough preparation and facilitation, coordinating evidence requests and drafting remediation & mitigation memos as needed and aligning with engineering teams

Role Qualifications and Requirements

3 - 5 years of relevant experience
Bachelor’s Degree
Experience in assisting and managing a PCI DSS program, scope and controls including mapping to PCI Requirements 1–12 and ensuring ongoing PCI compliance across in-scope endpoints, systems, and processes.
Lead risk assessments in identifying gaps and drive risk-based remediation, vulnerability management, and evidence collection for audits.
Design, implement, and maintain internal controls (technical and administrative) aligned with risk appetite and regulatory expectations; monitor control effectiveness.
Drive continuous improvement, third-party PCI risk management, audit readiness, risk reporting (KPI/dashboards), and foster PCI awareness across engineering and business teams.
Cloud Security and compliance experience (AWS, Azure, etc) would be an advantage
Familiarity with a wide range of technologies (internally developed applications, Windows, Linux, Databases, Gitlab, etc) from a risk and security perspective.
Hands-on experience in business analysis, auditing, IT governance, risk management or internal controls with PCI context.
Ability to develop solid relationships with engineering/application teams in order to drive the adoption of a risk management culture.
Technical understanding of internal control requirements and able to design/apply them in various businesses.
Ability to split large tasks into logical, manageable and decoupled actions which are managed effectively and delivered on time.
Be flexible and agile in response to the change in business, stakeholder expectations and/or change in regulatory/operating environment.
Strong independent contributor and be a strong team player.
Strong communication skills; fully comfortable working in English, both written and spoken

Benefits & Perk****s

Contributing to a high scale, complex, world renowned product and seeing real-time impact of your work on millions of travelers worldwide
Working in a fast-paced and performance driven culture
Technical, behavioral and interpersonal competence advancement via on-the-job opportunities, experimental projects, hackathons, conferences and active community participation
Competitive compensation and benefits package
Vast amounts of data to validate your ideas and the opportunity to experiment with real users

Booking Holdings is proud to be an equal opportunity workplace and is an affirmative action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. We strive to move well beyond traditional equal opportunity and work to create an environment that allows everyone to thrive.

Pre-Employment Screening

If your application is successful, your personal data may be used for a pre-employment screening check by a third party as permitted by applicable law. Depending on the vacancy and applicable law, a pre-employment screening may include employment history, education and other information (such as media information) that may be necessary for determining your qualifications and suitability for the position.