Compliance Research Analyst
As a Compliance Research Analyst, you will be working in Compliance, Information Security, and Cyber/IT security domain developing compliance solutions for the Policy Compliance line of products. This opening provides you an opportunity to create a significant impact on the Compliance offering from Qualys.
- Create detailed analysis and technical specifications to create Qualys Controls for various technologies such as operating systems, databases, applications, network devices, web servers, hypervisors, and others.
- Create content for Qualys Controls, such as the control statement, rationale, and remediation script/fix, and assigning control category, criticality ratings, and document mappings based on the NIST SP 800-53 r4 standard and others.
- Create out-of-box technical standards/policies in Qualys Policy Compliance for the above technologies and configure them on the basis of in-house expertise, industry best practice, or consensus guidelines from CIS, DISA STIG, Microsoft SCT, etc.
- Create out-of-box regulatory compliance policies for HIPAA, IT for SOX, PCI-DSS, NIST, etc.
- Create technical standards/policies for customer-specific requirements.
- Verify policies, controls, and control configurations for the above security standards/policies from auditors and customers point-of-view on various configuration scenarios to validate their suitability, applicability, and relevance.
- Map Qualys controls to various requirements from industry regulations, such as ISO 27001/2, HIPAA, PCI-DSS, SOX, GLBA, NIST, etc.
- Research and analysis to provide compliance solutions for new and emerging technologies.
- Research and analysis for CRM and provide solutions to address shortcomings and gaps for customer requirements.
- Work closely with the development, QA, management, and infrastructure teams/peers to provide high-quality deliverables with quick turnarounds.
What are we looking for in terms of hard skills:
- Strong knowledge, understanding, and hands-on experience of the operating system, application, Network & Security devices, and database hardening, configurations, and security settings.
- Strong knowledge and understanding of configuration and hardening guidelines, common industry/prescriptive standards such as CIS, DISA STIG, and Microsoft Security Compliance Toolkit (SCT).
- Good knowledge of cybersecurity and information security standards/frameworks such as NIST, ISO 27001/27002, and CIS Controls.
- Knowledge of regulatory and mandatory requirements such as HIPAA, PCI-DSS, and GDPR.
- Excellent research, reasoning, analytical, and troubleshooting skills.
- Scripting skills will be an added advantage, e.g. UNIX/Linux shell scripting, Perl, Python, etc.
- Hands-on experience in regular expressions.
- Strong knowledge and understanding of Azure AD, and SaaS Applications like O365, Zoom, Salesforce, DropBox, etc.
- Good knowledge of Application Programming Interface (API) and Postman, JMeter, etc applications for testing API
- Good knowledge of PowerShell
- Aptitude for new/emerging technologies.
- Ability/aptitude to learn new technologies, quickly adapt and apply them to changes in product and requirements.
What are we looking for in terms of soft skills:
- Take ownership for the successful delivery of the products, components, modules, and features assigned.
- Demonstrate high-quality focus and demonstrable scenarios of test-driven development.
- Excellent written and verbal communication.
- Self-motivated, team player, and detail-oriented with a 'can do' positive and constructive attitude yet modest and humble attitude when it comes to collaborating within the team and across other teams.
- Self-driven; requires minimal supervision to work.
- Uncompromising attitude when it comes to quality and helps raise the bar of product, team members, and hence overall engineering organization.
- Ability to interact effectively at all levels of an organization, across diverse cultural and linguistic barriers, and as part of a geographically distributed team.
- Availability outside working hours for critical and high-priority events.