Director of Cybersecurity and Compliance Consulting Services

Position type:Permanent
Location:Remote
Job ID:DIRCY01
Compensation: Salary + Ownership

Summary of the Role

The Director of Cybersecurity and Compliance Consulting Services is responsible for working with databracket’s clients in several capacities, including

  • reviewing their compliance and cybersecurity posture;
  • Drafting and delivering technical reports;
  • drafting security policies and procedures;
  • Building maturity models, creating business proposals,
  • delivering a host of technical and business-centric documentation and work products.

As Director, You will also be responsible for managing projects, drafting work products, executing governance/risk/compliance (GRC) engagements, and ensuring that databracket’s clients meet their compliance, privacy, and/or security requirements.

General Duties and Objectives

  • Perform analysis and trending (reports, dashboards, status…etc.) on internal or external progress or events affecting clients’ information security.
  • Engage with clients to understand technical process steps, identify risks, and drive toward completed documentation that aligns with the various programs.
  • Manage client meetings, including ensuring all data requests, timing and schedules, and contact points, are defined.
  • Prepare client deliverables utilizing excellent analytical, writing, and presentation skills.
  • Research regulations by reviewing regulatory bulletins and other sources of information.
  • Prepare management reports.
  • Consult with leadership to improve control efficiencies and operating effectiveness.
  • Partner with key client stakeholders to obtain and review compliance to support technical ISO, SOC 2, and other certification/attestation requirements.
  • Support the completion of the annual HIPAA, NYDFS, ISO, NIST, COSO, or other clients’ attestations.
  • Manage key compliance milestones for critical systems and complex processes.
  • Ensure that all IT policies and procedures are documented and updated according to regulatory standards, deadlines are met, approvals obtained, guidelines followed, repository usage understood, and that the repository or system of record is up to date defined by the IT Governance program.
  • Coordinate various GRC repository system improvement projects and activities to enhance the system of record and maintain effective process controls.
  • Develop and maintain risk registers and design self-assessments to help identify risks.
  • Serve as an escalation point to track and follow-up on risk events.

About the ideal candidate

  • University degree in Computer Science, Information Technology or equivalent
  • 5+ years IT audit experience.
  • BS/MS Degree in Computer Science or related field and/or 5 years of experience in Information Security or Assurance, Privacy, Forensics or IT Audit preferred.
  • CISA, CISM, CIPP, CIA, SANS GIAC, CISSP, and/or other cybersecurity-related certifications recommended.
    Security certifications such as GSNA, GCCC, CISSP, or other related certifications.
  • Excellent written and verbal communication skills.
  • Knowledge of IT controls, risk assessments, and the design and testing of security measures.
  • Understanding of technical audit processes.
  • Understanding of Cyber and Information Security and how to align client initiatives with the company’s business objectives.
  • Demonstrated success in a client-facing service role.
  • Familiarity with a variety of technologies, operating systems, databases, and reporting and data analytics tools.
  • Understanding risk assessment methodologies such as FAIR, Octave, Allegra, and/or other quantitative or qualitative methods.
  • Key Security Framework Background: Understand cybersecurity frameworks and implement or adapt to an organization’s security program to become certified. Such frameworks include: ISO 27001/2; NIST Security frameworks including CSF, 800-171, 800-53, 800-37; FEDRAMP;
  • Key Compliance Background: Understand how to review control design from policy to procedure to evidence. Have experience in making improvement recommendations and remediating control design.
  • Familiarity with data governance and privacy regulations: GLBA, NYDFS, Subject matter expertise related to:
  • SSAE 18 / SOC 1 / SOC 2
  • IT risk assessment / operational IT audit
  • IT general controls
  • COBIT framework

Application process

Create your candidate profile, construct your CV, and post to info@databrackets.com or apply using the below link. Once we’ve received your application, our recruiters will get in touch with you to arrange a telephone interview.

 

Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks

databrackets Compliances

Many organizations are turning to certification authorities and security standards/frameworks for demonstrating privacy and security best practice adherence of customer data, compliance with regulatory bodies, and building trust with partners/customers. There are several standards, frameworks, and guidance that helps organizations bring a structured approach to cybersecurity.

databrackets with the help of its partners and consultants has complied the important standards/frameworks for security in the industry based on practical aspects for considering or adopting those standards. We also pulled some data from Google Trends to understand more about customers’ interest in the compliance/cybersecurity standards:

Comparing NIST, ISO 27001, SOC 2 and other Security Standards and Frameworks
Google Trends search interest in different security standards/frameworks

 

A quick summary of each of the standards/frameworks used in our comaprison:

NIST Security Guidelines: NIST security standards are based on best practices from several security documents, organizations, and publications, and are designed as a framework for federal agencies and programs requiring security measures. In addition, several non-federal agencies are adopting these guidelines to showcase the adoption of authoritative security best practices guidelines.

ISO 27001:ISO 27001, on the other hand, is less technical and more risk-based standards for organizations of all shapes and sizes. ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

SOC 2 Type 1 or 2: SOC 2 reports covers controls of a Service Organization Relevancy to Security, Availability, Processing Integrity, Confidentiality or Privacy.
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

FedRamp: The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT.

HITRUST: HITRUST stands for the Health Information Trust Alliance. HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework.

Cloud Security Alliance: The Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM).

Shared Assessments: Shared Assessments provides the best practices, solutions and tools for third party risk management with the mission of creating an environment of assurance for outsourcers and their vendors. 

 

NIST Stds, ISO 27001, SOC 2 and Other Framework Comparisons

Key FeaturesNIST StandardsISO 27001SOC 2Other Standards/Frameworks (including FedRamp, CSA, HITRUST, Shared Assessments, etc.)Notes
CertificationNot ApplicableYesYesYesNeed to engaging certifying bodies/approved vendors
ApproachControl-basedRisk-basedControls-basedMaps to other standardsTechnical and general controls
PrincipleControl FamiliesInformation Security Management SystemsTrust Services Criteria & EthicsDependsPlatform specific controls are not covered by the standards/certification bodies
Certification MethodSelfAuthorized Third-partyAuthorized CPA FirmsThird-party vendorsCertification bodies require accreditation
Best Suited ForAllService Org.Service/Product CompaniesService/Product CompaniesIncreasingly customers/marketplace requires some sort of certification
Popular in …US Federal/CommercialInternationalUS CompaniesUSISO 27001 standard seems to be more popular globally
Customer AcceptanceNot Widely AcceptedPreferredPreferredDependsRefer to Google Trends graph: In order of acceptance ISO 27001, SOC 2 and other certifications
DurationPoint-in-timePoint-in-time6-month period(Type 2)Point-in-timeSurveillance audit is in place for most of the certifications
Audit FrequencyNot ApplicableEvery YearEvery Year to 18 monthsDependsMinimum of 12 to 18 month period
Cost$$$$$$$$$$HITRUST certifications cost in the north of 50k+

The above table is the most simplified representation of many of the standards and it may not accurately portray the individual standards/framworks.

databrackets specializes in assisting organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platformawareness training, policies, and procedures and consulting expertise, our customers and partners are meeting the growing demand for data security and evolving compliance requirements more efficiently.

 

Prepare for California Consumer Privacy Act (CCPA)

California Consumer Privacy Act

California Consumer Privacy Act (CCPA) offers California consumers control over their personal information, data privacy rights, and the right to know, delete, or opt-out of the sale of personal information collected by businesses.

Definition of CCPA

CCPA is a state-wide data privacy law that regulates how businesses can handle personal data of California residents. It was introduced on January 1, 2020, and is the first law of the kind in the United States.

 

Who is covered under CCPA?

Any for-profit entity that does business in California and collects, sells, or shares consumer data and,

·       Has annual gross revenue exceeding 25 million, or

·       Possesses personal information of 50,000 or more consumers, or

·       Earn more than half of annual revenue by selling consumer’s personal information

 

How does the regulation work?

Under the regulation, Californians are allowed to sue companies for failing to prevent data breaches and prevent personal data from being misused. Californians can also opt-out of sharing their data with companies under the regulation.

 

CCPA requirements

To comply with CCPA, one has to:

–        Identify and classify data assets

–        Find out where the CCPA personal information is located and stored

–        Determine the risky data and check access permissions

–        Locate personal data that is stale

–        Adjust required permissions

–        Deploy role-based access controls

–        Delete stale personal data

–        Monitor personal data against threats

–        Review data permissions continually

–        Adjust protocols against cyber threats

–        Organize relevant data

 

Consequences and Penalties for violations

There are two types of penalties for violations:

–        Civil penalties

–        Private Right of Action

Civil penalties

Civil penalties for CCPA violation includes:

–        2500 for non-intentional violation

–        7500 for intentional violation

Any business that cures its noncompliance within 30 days of being notified does not need to pay the penalties. However, some noncompliance cannot be cured.

Private Right of Action

–        $100 to $750 per customer per incident, or actual damages whichever is greater

–        Relief that courts deem to be proper

–        Declaratory or injunctive relief

 

Benefits and drawbacks of CCPA

Benefits:

–        Greater transparency from companies

–        Customers have the right to know about all data collected about them and will be able to request this data for free twice per year

–        Customers have the right to opt-out of getting data sold

–        Customers can request the data to be deleted, can sue companies if their data is stolen, and can stand against identity theft

–        Businesses get a competitive advantage that compliance brings

Drawbacks:

–        Regulatory compliance with CCPA means businesses need to get more work done to ensure compliance

–        CCPA can be costly to businesses

–        Customers can request businesses to either completely delete their data or keep all of it, a choice which is not always the customer’s choice

 

Best Practices for Complying with the CCPA

The best practices for CCPA compliance are:

–        Create an internal privacy framework that lays out how you will comply with CCPA

–        Do more with less data, by minimizing the data you collect, store, use and transmit

–        Automate compliance tools for data mapping tools, data protection, managing consent

–        Be specific about the posture of your internal and external privacy


Additional Resources for Further Investigation

Refer to the original CCPA link to get additional details about CCPA regulations.

 

Conclusion

Conforming to CCPA standards does not have to be much of a hassle. Databrackets is here to help. Our experts and consultants can help you get a cost-effective CCPA readiness assessment, so you can focus on profitability rather than wasting your time on understanding the ins and outs of CCPA to the core. Schedule a consultation with us today!