Compliance Research Analyst

Engineering Requisition ID 6141 Pune, India


As a Compliance Research Analyst, you will be working in Compliance, Information Security, and Cyber/IT security domain developing compliance solutions for the Policy Compliance line of products. This opening provides you an opportunity to create a significant impact on the Compliance offering from Qualys.


  • Create detailed analysis and technical specifications to create Qualys Controls for various technologies such as operating systems, databases, applications, network devices, web servers, hypervisors, and others.
  • Create content for Qualys Controls, such as the control statement, rationale, and remediation script/fix, and assigning control category, criticality ratings, and document mappings based on the NIST SP 800-53 r4 standard and others.
  • Create out-of-box technical standards/policies in Qualys Policy Compliance for the above technologies and configure them on the basis of in-house expertise, industry best practice, or consensus guidelines from CIS, DISA STIG, Microsoft SCT, etc.
  • Create out-of-box regulatory compliance policies for HIPAA, IT for SOX, PCI-DSS, NIST, etc.
  • Create technical standards/policies for customer-specific requirements.
  • Verify policies, controls, and control configurations for the above security standards/policies from auditors and customers point-of-view on various configuration scenarios to validate their suitability, applicability, and relevance.
  • Map Qualys controls to various requirements from industry regulations, such as ISO 27001/2, HIPAA, PCI-DSS, SOX, GLBA, NIST, etc.
  • Research and analysis to provide compliance solutions for new and emerging technologies.
  • Research and analysis for CRM and provide solutions to address shortcomings and gaps for customer requirements.
  • Work closely with the development, QA, management, and infrastructure teams/peers to provide high-quality deliverables with quick turnarounds.

 What are we looking for in terms of hard skills:

  • Strong knowledge, understanding, and hands-on experience of the operating system, application, Network & Security devices, and database hardening, configurations, and security settings.
  • Strong knowledge and understanding of configuration and hardening guidelines, common industry/prescriptive standards such as CIS, DISA STIG, and Microsoft Security Compliance Toolkit (SCT).
  • Good knowledge of cybersecurity and information security standards/frameworks such as NIST, ISO 27001/27002, and CIS Controls.
  • Knowledge of regulatory and mandatory requirements such as HIPAA, PCI-DSS, and GDPR.
  • Excellent research, reasoning, analytical, and troubleshooting skills.
  • Scripting skills will be an added advantage, e.g. UNIX/Linux shell scripting, Perl, Python, etc.
  • Hands-on experience in regular expressions.
  • Strong knowledge and understanding of Azure AD, and SaaS Applications like O365, Zoom, Salesforce, DropBox, etc.
  • Good knowledge of Application Programming Interface (API) and Postman, JMeter, etc applications for testing API
  • Good knowledge of PowerShell
  • Aptitude for new/emerging technologies.
  • Ability/aptitude to learn new technologies, quickly adapt and apply them to changes in product and requirements.

 What are we looking for in terms of soft skills:

  • Take ownership for the successful delivery of the products, components, modules, and features assigned.
  • Demonstrate high-quality focus and demonstrable scenarios of test-driven development.
  • Excellent written and verbal communication.
  • Self-motivated, team player, and detail-oriented with a 'can do' positive and constructive attitude yet modest and humble attitude when it comes to collaborating within the team and across other teams.
  • Self-driven; requires minimal supervision to work.
  • Uncompromising attitude when it comes to quality and helps raise the bar of product, team members, and hence overall engineering organization.
  • Ability to interact effectively at all levels of an organization, across diverse cultural and linguistic barriers, and as part of a geographically distributed team.
  • Availability outside working hours for critical and high-priority events.

EEO Employer/Vet/Disabled