Security & Compliance Topics
Governance, compliance frameworks, regulatory requirements, compliance implementation, and compliance-driven risk management. Covers compliance frameworks (SOX, GDPR, HIPAA, FCPA, etc.), regulatory interpretation, compliance control design, audit and control effectiveness evaluation, and compliance process management. For operational security implementation and technical threat mitigation, see Security Engineering & Operations.
Compliance Architecture and Controls
Focuses on translating legal and regulatory obligations into technical architecture and operational controls. Candidates should demonstrate how to map requirements such as data handling rules, consent models, retention and deletion mechanisms, data subject rights workflows, breach notification processes, and processor agreement obligations into concrete design decisions and controls. Expected topics include data residency and sovereignty decisions, encryption and key management, access control and privileged access management, audit logging and tamper resistant audit trails, retention and immutability policies, backups and recovery, segmentation and isolation, change management and configuration baselining, and third party and vendor risk controls. Candidates should be able to explain trade offs between engineering feasibility and regulatory obligations, provide examples of systems or features designed or modified to meet compliance needs, describe interactions with legal, privacy, and compliance teams to interpret rules, and explain how testing, monitoring, incident response, and documentation support audit readiness and continuous compliance.
Security, Privacy, and Compliance
Comprehensive knowledge of security policy, privacy principles, regulatory compliance, and ethical considerations across the system lifecycle. Candidates should be able to discuss security governance and policy creation, rules of engagement for testing, authorized scope and documentation requirements for penetration testing, and the ethical and legal boundaries of security research. Understand incident response procedures when vulnerabilities are discovered and how security testing and controls support audits. Be familiar with major compliance frameworks and laws such as Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, Service Organization Control Two, General Data Protection Regulation, and California Consumer Privacy Act, and how to map controls to requirements. Technical skills include security architecture principles, authentication and authorization patterns, encryption strategies for data in transit and data at rest, key management and secrets management, secure design and privacy by design, data governance and minimization, threat modeling and risk assessment, vulnerability management, logging and monitoring, and how to evolve security posture as systems scale. Candidates should also be able to explain operational practices for secure deployment, secure configuration, trade offs between security and usability, and how to measure and improve compliance over time.
Security and Privacy Metrics
Addresses how to measure security and privacy program effectiveness and communicate value. Topics include security KPIs like mean time to detect and mean time to respond, vulnerability remediation time, patch compliance, incident frequency and severity, and methods to assess return on security investments. For privacy, include metrics such as audit findings, training completion, data subject request processing times, vendor assessments, privacy impact assessments, and breach metrics. Candidates should be able to explain limitations of common metrics and how to link security and privacy measurements to business risk and governance reporting.
Compliance, Audit Logging, and Change Management
Understanding compliance requirements relevant to infrastructure (SOC 2, ISO 27001, HIPAA, PCI-DSS, etc.). Implementing audit logging for compliance purposes. Change management procedures and change approval workflows. Maintaining audit trails for all infrastructure changes and access. Regular compliance audits and remediation. Documentation of infrastructure changes and reasons. Version control for infrastructure configurations. Compliance reporting and audit readiness.
Compliance, Governance, and Audit
Evaluate whether an organization's controls, policies, and evidence satisfy the regulatory, contractual, and corporate requirements that apply to it. Topics include identifying and interpreting relevant regulatory frameworks (e.g. SOX, GDPR, HIPAA, PCI-DSS, SOC 2, ISO 27001), designing controls and mapping them to requirements, policy definition and enforcement (including policy-as-code tooling as one enforcement mechanism), maintaining system and data inventories for scoping, audit logging and evidence collection, detecting and remediating control gaps or configuration drift, access reviews and least-privilege enforcement, data residency and localization requirements, encryption and key management as a control area, automated compliance monitoring and reporting, and collaborating with internal and external auditors, legal, and risk teams to produce audit artifacts, respond to findings, and build remediation plans.
Compliance and Security in Migration
Design compliance and security controls to meet regulatory and audit requirements during cloud migration. Topics include data classification and residency encryption and key management identity and access management and least privilege network segmentation secure configuration hardening audit trails and evidence collection vulnerability management and monitoring. Plan validation steps that auditors and compliance teams can use during and after migration and define remediation and exception handling processes that preserve control without blocking business needs.
Data Security and Compliance
Demonstrate knowledge of data governance and compliance controls that protect sensitive data across business systems, including role based access controls, least privilege principles, data classification, encryption at rest and in transit, secure integrations, and audit trails. Candidates should be able to discuss privacy and regulatory requirements such as the General Data Protection Regulation, standards such as Service Organization Control two, retention and deletion policies, vendor and third party risk, and practical controls to balance business access needs with security and auditability.
CIS Controls and Validation Methodology
Assess knowledge of the Center for Internet Security Critical Security Controls and methodologies for validating that controls are implemented and operating effectively. Topics include designing control test cases, sampling and evidence collection strategies, configuration and configuration drift checks, integrating vulnerability discovery with control validation, automation opportunities, measuring control effectiveness, and communicating validation results to operations and audit teams. Emphasize practical techniques to demonstrate whether a control mitigates the intended class of threat and how penetration testing can be used as part of control validation.
Security and Compliance in Enterprise Environments
Assess knowledge of security controls and regulatory requirements relevant to enterprise solutions. Candidates should explain authentication and authorization patterns, encryption at rest and in transit, identity and access management, network security architectures, key management, logging and auditing, and incident response. They should be able to map technical controls to regulatory frameworks such as Service Organization Controls two, Health Insurance Portability and Accountability Act, General Data Protection Regulation and Federal Risk and Authorization Management Program, and describe how to operationalize compliance during design and deployment.