Analyst compliance

An exciting career awaits you

At MPC, we're committed to being a great place to work - one that welcomes new ideas, encourages diverse perspectives, develops our people, and fosters a collaborative team environment.

Position Summary

The CI Federal Compliance Analyst plays a key role in supporting the company's compliance with cybersecurity and information technology regulations across multiple jurisdictions and environments. This role is responsible for assisting in the development, implementation, and monitoring of compliance programs to ensure ongoing adherence to requirements such as TSA Security Directives, U.S. Coast Guard Cybersecurity Final Rule, and Mexico Tax Authority mandates. The Analyst will collaborate with Cybersecurity, Infrastructure, Physical Security, Law, Government Affairs, and business partners to assess regulatory obligations, implement effective controls, and provide sustained oversight to mitigate compliance risks. Additionally, the role will contribute to the design of new compliance initiatives, deliver regulatory assessments, and support incident response and audit activities. This position requires a detail-oriented professional with a strong understanding of cybersecurity governance, regulatory frameworks, and the ability to drive continuous improvement in a dynamic environment.

Key Responsibilities

• Conducts controls analysis of business process and systems and reports impact of changes and additions to compliance.

• Assists with the resolution of routine multi-functional compliance issues. Prepares, performs and presents cybersecurity and regulatory assessments and associated risks.

• Evaluates the efficiency and effectiveness of compliance processes and controls in place ensuring confidentiality, integrity, and availability of data/ information, under guidance of more senior colleagues.

• Supports the design, implementation, and sustainment of new and existing compliance programs to ensure ongoing adherence to federal and international cybersecurity regulations.

• Recommends and/or executes remediation and develops cost information for such mitigation measures. Monitors networks, systems, and applications for signs of potential compliance incidents. Investigates and analyzes the nature and scope of compliance incidents.

• Analyzes security protocols, compliance reviews, administers and maintains security audits and reports of server access and activity; participates in disaster recovery planning per corporate guidelines.

• Delivers and implements global security initiatives, policies, and compliance requirements. Works with IT and security engineers to produce metrics related to regulatory compliance.

• Takes action through collaboration to improve metric results. Executes compliance security-related consulting, guidance, and support to customers and stakeholders.

• Effectively communicates emerging Information Technology/Operations Technology and cybersecurity technology trends as well as their impact on the regulatory compliance landscape.

Education and Experience

• Bachelor's Degree in Information Technology, related field or equivalent experience.

• Professional certification, e.g. Security+, Network+, CISA, CISSP preferred

• 2+ years of relevant experience required.

• 1+ years of experience with regulatory requirements preferred.

• Knowledge of NIST CSF and NIST SP 800.53 preferred.

Skills

Authentic Communicator -Expresses ideas and information, both verbally and in writing, clearly and credibly. Listens to understand and fosters constructive dialogue.

Cybersecurity Risk Management - The process of developing cyber risk assessment and treatment techniques that can effectively pre-empt and identify significant security loopholes and weaknesses, demonstrating the business risks associated with these loopholes and providing risk treatment and prioritization strategies to effectively address the cyber-related risks, threats and vulnerabilities, ensuring appropriate levels of protection, confidentiality, integrity and privacy in alignment with the security framework.

General Programming - Applies a computer language to communicate with computers using a set of instructions and to automate the execution of tasks.

Intrusion Detection - The use of security analytics, including the outputs from intelligence analysis, predictive research and root cause analysis in order to search for and detect potential breaches or identify recognized indicators and warnings. Also, monitoring and collating external vulnerability reports for organizational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes.

Penetration Testing - The practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually.

Security Controls - Manages and maintains an information system that focus on the management of risk and the management of information systems security.

Security Governance - The process of developing and disseminating corporate security policies, frameworks and guidelines to ensure that day-to-day business operations are guarded and well protected against risks, threats and vulnerabilities.

Security Information & Event Management (SIEM) - A set of tools and services offering real-time visibility across an organization's information security systems, and event log management that consolidates data from numerous sources.

Security Policy Management - The process of identifying, implementing, and managing the rules and procedures that all individuals must follow when accessing and using an organization's IT assets and resources.

Threat Analysis - Monitor intelligence-gathering and anticipate potential threats to an IT/OT systems proactively. This involves the pre-emptive analysis of potential perpetrators, anomalous activities and evidence-based knowledge and

inferences on perpetrators' motivations and tactics.

Threat Hunting - Searches through networks, endpoints, and datasets to detect and isolate cyber threats that evade existing security solutions.

Vulnerability Management - The process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures and providing the organization with the necessary knowledge, awareness and risk background to understand the threats to its business.

As an energy industry leader, our career opportunities fuel personal and professional growth.

Location:

San Antonio, Texas

Additional locations:

Findlay, Ohio

Job Requisition ID:

00018399

Location Address:

Education:

Employee Group:

Full time

Employee Subgroup:

Regular

Marathon Petroleum Company LP is an Equal Opportunity Employer and gives consideration for employment to qualified applicants without discrimination on the basis of race, color, religion, creed, sex, gender (including pregnancy, childbirth, breastfeeding or related medical conditions), sexual orientation, gender identity, gender expression, reproductive health decision-making, age, mental or physical disability, medical condition or AIDS/HIV status, ancestry, national origin, genetic information, military, veteran status, marital status, citizenship or any other status protected by applicable federal, state, or local laws. If you would like more information about your EEO rights as an applicant, click here (/Department\ of\ Labor\ EEOC_.pdf) . If you need a reasonable accommodation for any part of the application process at Marathon Petroleum LP, please contact our Human Resources Department at [email protected] . Please specify the reasonable accommodation you are requesting, along with the job posting number in which you may be interested. A Human Resources representative will review your request and contact you to discuss a reasonable accommodation. Marathon Petroleum offers a total rewards program which includes, but is not limited to, access to health, vision, and dental insurance, paid time off, 401k matching program, paid parental leave, and educational reimbursement. Detailed benefit information is available at .The hired candidate will also be eligible for a discretionary company-sponsored annual bonus program. Equal Opportunity Employer: Veteran / Disability

We will consider all qualified Applicants for employment, including those with arrest or conviction records, in a manner consistent with the requirements of applicable state and local laws. In reviewing criminal history in connection with a conditional offer of employment, Marathon will consider the key responsibilities of the role.

About Marathon Petroleum Corporation

Marathon Petroleum Corporation (MPC) is a leading, integrated, downstream energy company headquartered in Findlay, Ohio. The company operates the nation's largest refining system. MPC's marketing system includes branded locations across the United States, including Marathon brand retail outlets. MPC also owns the general partner and majority limited partner interest in MPLX LP, a midstream company that owns and operates gathering, processing, and fractionation assets, as well as crude oil and light product transportation and logistics infrastructure.