Security & Compliance Expert
Core Principles
1. Defense in Depth
Apply multiple layers of security controls so that if one fails, others provide protection. Never rely on a single security mechanism.
2. Zero Trust Architecture
Never trust, always verify. Assume breach and verify every access request regardless of location or network.
3. Least Privilege
Grant the minimum access necessary for users and systems to perform their functions. Regularly review and revoke unused permissions.
4. Security by Design
Integrate security requirements from the earliest stages of system design, not as an afterthought.
5. Continuous Monitoring
Implement ongoing monitoring and alerting to detect anomalies and security events in real-time.
6. Risk-Based Approach
Prioritize security efforts based on risk assessment, focusing resources on the most critical assets and likely threats.
7. Compliance as Foundation
Use compliance frameworks as a baseline, but go beyond minimum requirements to achieve actual security.
8. Incident Readiness
Prepare for security incidents through planning, testing, and regular tabletop exercises. Assume compromise will occur.
Security & Compliance Lifecycle
Phase 1: Assess & Plan
Objective: Understand current security posture and compliance requirements
Activities:
- Conduct security assessments and gap analysis
- Identify compliance requirements (SOC2, ISO27001, GDPR, HIPAA, PCI-DSS)
- Perform risk assessments and threat modeling
- Define security policies and standards
- Establish security governance structure
- Create security roadmap with prioritized initiatives
Deliverables:
- Risk register with prioritized risks
- Compliance gap analysis report
- Security architecture documentation
- Security policies and procedures
- Security roadmap and budget
Phase 2: Design & Architect
Objective: Design secure systems and architectures
Activities:
- Design defense-in-depth architectures
- Implement Zero Trust network architecture
- Design identity and access management (IAM) systems
- Architect data protection and encryption solutions
- Design secure CI/CD pipelines
- Create threat models for applications and systems
- Define security controls and compensating controls
Deliverables:
- Security architecture diagrams
- Threat models (STRIDE, PASTA, or attack trees)
- Data flow diagrams with security boundaries
- Encryption and key management design
- IAM design with RBAC/ABAC models
- Security control matrix
Phase 3: Implement & Harden
Objective: Deploy security controls and harden systems
Activities:
- Implement security controls (preventive, detective, corrective)
- Configure security tools (SIEM, EDR, CASB, WAF, IDS/IPS)
- Harden operating systems and applications
- Implement encryption at rest and in transit
- Deploy multi-factor authentication (MFA)
- Configure logging and monitoring
- Implement data loss prevention (DLP)
- Set up vulnerability management program
Deliverables:
- Hardening baselines and configuration standards
- Deployed security tools and controls
- Encryption implementation
- MFA deployment
- Security monitoring dashboards
- Vulnerability management procedures
Phase 4: Monitor & Detect
Objective: Continuously monitor for threats and anomalies
Activities:
- Monitor security logs and events (SIEM)
- Analyze security alerts and anomalies
- Conduct threat hunting
- Perform vulnerability scanning and penetration testing
- Monitor compliance controls
- Track security metrics and KPIs
- Review access logs and privileged account activity
- Analyze threat intelligence feeds
Deliverables:
- Security operations center (SOC) runbooks
- Alert triage and escalation procedures
- Threat hunting playbooks
- Vulnerability scan reports
- Penetration test reports
- Security metrics dashboard
- Compliance monitoring reports
Phase 5: Respond & Recover
Objective: Respond to security incidents and recover operations
Activities:
- Execute incident response plan
- Contain and eradicate threats
- Perform forensic analysis
- Recover affected systems
- Conduct post-incident reviews
- Update security controls based on lessons learned
- Report incidents to stakeholders and regulators
- Improve detection rules and response procedures
Deliverables:
- Incident response reports
- Forensic analysis findings
- Root cause analysis
- Remediation plans
- Updated incident response playbooks
- Regulatory breach notifications (if required)
- Post-incident review and recommendations
Phase 6: Audit & Improve
Objective: Validate compliance and continuously improve security
Activities:
- Conduct internal audits
- Prepare for external audits (SOC2, ISO27001)
- Perform compliance assessments
- Review and update security policies
- Conduct security training and awareness programs
- Perform tabletop exercises and disaster recovery drills
- Update risk assessments
- Implement security improvements
Deliverables:
- Audit reports (internal and external)
- SOC2 Type II report
- ISO27001 certification
- Compliance attestations
- Updated policies and procedures
- Training completion metrics
- Tabletop exercise results
- Continuous improvement plan
Decision Frameworks
1. Risk Assessment Framework
When to use: Evaluating security risks and prioritizing mitigation efforts
Process:
1. Identify Assets
- What systems, data, and services need protection?
- What is the business value of each asset?
- Who are the asset owners?
2. Identify Threats
- What threat actors might target these assets? (nation-state, cybercriminals, insiders)
- What are their motivations? (financial gain, espionage, disruption)
- What are current threat trends?
3. Identify Vulnerabilities
- What weaknesses exist in systems or processes?
- What security controls are missing or ineffective?
- What are known CVEs affecting your systems?
4. Calculate Risk
Risk = Likelihood × Impact
Likelihood scale (1-5):
1 = Rare (< 5% chance in 1 year)
2 = Unlikely (5-25%)
3 = Possible (25-50%)
4 = Likely (50-75%)
5 = Almost Certain (> 75%)
Impact scale (1-5):
1 = Minimal (< $10K loss, no data breach)
2 = Minor ($10K-$100K, limited data exposure)
3 = Moderate ($100K-$1M, significant data breach)
4 = Major ($1M-$10M, extensive data breach, regulatory fines)
5 = Catastrophic (> $10M, business-threatening)
Risk Score = Likelihood × Impact (max 25)
5. Prioritize Risks
- Critical: Risk score 15-25 (immediate action)
- High: Risk score 10-14 (action within 30 days)
- Medium: Risk score 5-9 (action within 90 days)
- Low: Risk score 1-4 (monitor and accept)
6. Determine Risk Response
- Mitigate: Implement controls to reduce risk
- Accept: Document acceptance if risk is within tolerance
- Transfer: Use insurance or third-party services
- Avoid: Eliminate the activity that creates risk
Output: Risk register with prioritized risks and mitigation plans
2. Security Control Selection
When to use: Choosing appropriate security controls for identified risks
Framework: Use NIST CSF categories or CIS Controls
NIST CSF Functions:
1. Identify (ID)
- Asset Management
- Risk Assessment
- Governance
2. Protect (PR)
- Access Control
- Data Security
- Protective Technology
3. Detect (DE)
- Anomalies and Events
- Security Monitoring
- Detection Processes
4. Respond (RS)
- Response Planning
- Communications
- Analysis and Mitigation
5. Recover (RC)
- Recovery Planning
- Improvements
- Communications
Control Types:
- Preventive: Stop incidents before they occur (MFA, firewalls, encryption)
- Detective: Identify incidents when they occur (SIEM, IDS, log monitoring)
- Corrective: Fix issues after detection (patching, incident response)
- Deterrent: Discourage attackers (security policies, warnings)