Security Policy and Compliance Engineer
SpaceX was founded under the belief that a future where humanity is out exploring the stars is fundamentally more exciting than one where we are not. Today SpaceX is actively developing the technologies to make this possible, with the ultimate goal of enabling human life on Mars.
Security Policy and Compliance Engineer
This engineer is part of the Information Assurance and Compliance team and is responsible for supporting SpaceX’s ISO-27001 and NIST 800-53 compliance efforts. Under the direction of management, this position will focus on supporting the ISO-27001 and NIST 800-53 compliance program as part of the Information Security Management System (ISMS).
- Assess and interpret Information Assurance requirements to design and engineer actionable, pragmatic and sustainable Information Security controls.
- Serve in an advisory and consultative capacity to consult and advise control owners on practical and technically accurate control design and implementation techniques based on requirements.
- Focus on documenting and auditing
- System hardening
- Secure software development and threat modeling
- Security System Architecture
- Vulnerability Management
- Configuration Management & Automation
- Logging & monitoring systems
- Endpoint Host Security
- Supplier and Customer security reviews
- Work with functional engineering talent to drive control review. Design and create frictionless in-depth system level documentation in support of the ISO-27001 and NIST 800-53 implementation.
- Assess and interpret Information Assurance requirements to help design actionable, pragmatic and sustainable Information Security controls as required by the ISO-27001 and NIST 800-53 control framework.
- Work withsystem owners and engineers to drive implementation and ongoing management of the ISMS control framework based on requirements.
- Create high quality technical documentation (i.e. policies, procedures and standards, guidelines). Document control framework implementation in Governance Risk and Compliance tool with workflow to automate control review and data collection.
- Facilitate and lead assessments to assess control posture and maturity. Stratify risks and operate a risk registry. Validate, prioritize and drive remediation of control gaps with system owners.
- Facilitate and liaise with external auditors and stakeholders on audits and reviews.
- Partner with internal stakeholders to support negotiations of Information Assurance contractual agreements with customers.
- Assist with developing and delivering security awareness materials and training.
- Communicate complex concepts with senior management, technical personnel, auditors and external stakeholders in a concise and professional manner.
- Assist management with Information Assurance roadmap creation, execution and managing of expectations with all in-scope stakeholders.
- Assist with meeting all other IT security compliance requirements.
- Perform other tasks under the direction of management.
- Bachelor’s degree in information assurance/security/technology, computer science, engineering, or similar technical discipline
- Minimum of 7 years of experience in information security/assurance
- Experience with system hardening and/or implementing enterprise security controls
Preferred Skills and Experience:
- Master’s degree in information assurance/security/technology and 10 years demonstrated working experience in Information Assurance, Security or Technology.
- Broad knowledge and practical understanding of modern IT Infrastructure, DevOps and Agile Software Development.
- Demonstrated competency evaluating and implementing Information Assurance controls based on recognized frameworks (e.g. ISO-27001/2, NIST SP-800 53, CNSSI 1253, DoD 5200/8500 series) in a high security environment.
- Robust technical policy writing skills with a penchant for balancing requirements with practicality and first principles reasoning.
- Very strong project management, presentation and communication skills.
- In-depth knowledge of data protection and integrity, operating systems, network security, authentication, and security protocols.
- Demonstrated success building trust with engineering teams to drive compliance requirements in an Agile and highly innovative environment.
- Demonstrating experience auditing or assessing as many of the following: Linux (Debian/Ubuntu), Windows (7/2008/2012), Arista/Cisco switches, Palo Alto Firewalls, Elk Stack and configuration management tools such as Puppet.
- Understanding of Agile software development methodology/tools (Scrum, Kanban, Jira), Version Control Systems and continuous integration processes (Jenkins, Bamboo). Knowledge of secure SDLC methodologies (i.e. BSIMM, DREAD, STRIDE).
- Knowledge of compliance automation via GRC tool workflow and control automation techniques with scripting. Familiarity with scripting languages (Bash, Python) is desirable.
- Certifications: ISO 27001 Lead Auditor/Implementer; CISA, CISM, CISSP, SANS GSEC, PMP
- To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR) you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State. Learn more about the ITAR here.
SpaceX is an Equal Opportunity Employer; employment with SpaceX is governed on the basis of merit, competence and qualifications and will not be influenced in any manner by race, color, religion, gender, national origin/ethnicity, veteran status, disability status, age, sexual orientation, gender identity, marital status, mental or physical disability or any other legally protected status.
Applicants wishing to view a copy of SpaceX’s Affirmative Action Plan for veterans and individuals with disabilities, or applicants requiring reasonable accommodation to the application/interview process should notify the Human Resources Department at (310) 363-6000.