Security Governance, Risk & Privacy Topics
Governance, compliance frameworks, regulatory requirements, compliance implementation, and compliance-driven risk management. Covers compliance frameworks (SOX, GDPR, HIPAA, FCPA, etc.), regulatory interpretation, compliance control design, audit and control effectiveness evaluation, and compliance process management. For operational security implementation and technical threat mitigation, see Security Engineering & Operations.
Privacy and Security Alignment
The relationship between privacy and security: how they overlap and differ, and how access control, least privilege, encryption, and other security controls serve privacy goals. Covers aligning privacy and security programs and reasoning about safeguards that protect personal data at scale. Includes distinguishing a privacy failure from a security failure.
Risk Assessment and Management
Identifying, analyzing, prioritizing, and treating information-security, compliance, and privacy risk. Covers qualitative and quantitative risk assessment methodologies, threat and vulnerability identification, likelihood and impact (and severity-of-harm) scoring, risk registers, and treatment decisions (accept, mitigate, transfer, avoid). Includes privacy-specific assessments such as DPIAs and PIAs: when an assessment is required, how to structure it, and how to weigh likelihood and severity of harm to individuals, plus prioritizing compliance and privacy risk across a portfolio of initiatives. Emphasizes structured, repeatable methodology tied to business context.
Audit Readiness, Evidence and Inspection Management
Preparing for internal and external audits and inspections, assembling the evidence auditors require, and managing the relationship with auditors, examiners, and regulators. Covers audit logging and evidence-collection strategy, sampling, maintaining continuous audit readiness and audit-trail integrity, coordinating fieldwork, responding to auditor requests, and handling adverse findings professionally. Both the make-it-demonstrable and the being-audited sides of assurance.
Data Classification and Sensitivity Handling
Classifying data by sensitivity and applying controls proportionate to that classification: identifying personal, sensitive, and special-category data and tagging it through its lifecycle. Covers classification schemes, labeling, and how classification drives access, encryption, and retention decisions. Includes assessing the impact of a given data type on privacy and security risk.
Compliance Frameworks and Certification Standards
The major security compliance frameworks and how to achieve and maintain certification against them: SOC 2, ISO 27001, NIST CSF, NIST 800-53, CIS Controls, PCI DSS, and FedRAMP. Covers what each framework governs, how control families map to organizational practices, and how to scope, prepare for, and pass a certification assessment. Emphasizes framework selection and reconciling overlapping control requirements across standards.
Communicating Security and Privacy Risk to Stakeholders and Leadership
Translating technical security, compliance, and privacy risk into language that executives, boards, and non-technical stakeholders can act on. Covers framing risk in business terms, influencing leadership on investment and strategy, tailoring the message to the audience, and driving decisions through communication. The persuasion-and-translation skill, distinct from the metrics themselves.
Security Clearance and Background Investigation Readiness
Preparing for clearance-gated roles: clearance levels and what each requires, the background-investigation process, factors affecting eligibility, maintaining and transferring an existing clearance, and discussing clearance status appropriately in interviews.
Internal Controls Design and Effectiveness Testing
Designing security and compliance controls and evaluating whether they operate effectively. Covers control objectives, preventive vs detective vs corrective controls, control mapping to risks and frameworks, design-effectiveness vs operating-effectiveness testing, and corrective and preventive action when a control fails. The 'do the controls actually work' discipline.
Data Minimization and Retention
Collecting and keeping only what is necessary: data minimization at collection, purpose limitation, and retention scheduling with automated deletion. Covers defining retention periods, enforcing them technically, and defensibly disposing of data. Includes balancing operational or analytics needs against minimization obligations.