Security & Compliance Topics
Governance, compliance frameworks, regulatory requirements, compliance implementation, and compliance-driven risk management. Covers compliance frameworks (SOX, GDPR, HIPAA, FCPA, etc.), regulatory interpretation, compliance control design, audit and control effectiveness evaluation, and compliance process management. For operational security implementation and technical threat mitigation, see Security Engineering & Operations.
Security, Privacy, and Compliance
Comprehensive knowledge of security policy, privacy principles, regulatory compliance, and ethical considerations across the system lifecycle. Candidates should be able to discuss security governance and policy creation, rules of engagement for testing, authorized scope and documentation requirements for penetration testing, and the ethical and legal boundaries of security research. Understand incident response procedures when vulnerabilities are discovered and how security testing and controls support audits. Be familiar with major compliance frameworks and laws such as Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, Service Organization Control Two, General Data Protection Regulation, and California Consumer Privacy Act, and how to map controls to requirements. Technical skills include security architecture principles, authentication and authorization patterns, encryption strategies for data in transit and data at rest, key management and secrets management, secure design and privacy by design, data governance and minimization, threat modeling and risk assessment, vulnerability management, logging and monitoring, and how to evolve security posture as systems scale. Candidates should also be able to explain operational practices for secure deployment, secure configuration, trade offs between security and usability, and how to measure and improve compliance over time.
Data Security and Compliance
Demonstrate knowledge of data governance and compliance controls that protect sensitive data across business systems, including role based access controls, least privilege principles, data classification, encryption at rest and in transit, secure integrations, and audit trails. Candidates should be able to discuss privacy and regulatory requirements such as the General Data Protection Regulation, standards such as Service Organization Control two, retention and deletion policies, vendor and third party risk, and practical controls to balance business access needs with security and auditability.
Security and Compliance Architecture
Architecting systems to meet security requirements and regulatory and compliance obligations. Candidates should understand how to embed data classification, data governance, encryption, least privilege access, audit trails and logging, secure design patterns, and threat modeling into architectures. Expect discussion of how architectural choices affect obligations under common regulations such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standard, and System and Organization Controls frameworks. Topics include documenting architecture for compliance reviewers, retention and data residency considerations, denial of service mitigation and web application firewall strategies, and balancing security controls with usability and operational cost. Candidates should be able to describe when to engage legal and compliance teams and how to design for auditability and evidence capture.