Security Policy and Compliance Engineer (Information Assurance & Compliance)

SpaceX was founded under the belief that a future where humanity is out exploring the stars is fundamentally more exciting than one where we are not. Today SpaceX is actively developing the technologies to make this possible, with the ultimate goal of enabling human life on Mars.
Security Policy and Compliance Engineer
This engineer is part of the Information Assurance and Compliance team and is responsible for supporting SpaceX's ISO-27001 certification and NIST 800-53 compliance efforts. Under the direction of management, this position will initially focus heavily on supporting the ISO-27001 certification process and NIST 800-53 compliance program as part of the Information Security Management System (ISMS).
Assess and interpret Information Assurance requirements to design and engineer actionable, pragmatic and sustainable Information Security controls.
Serve in an advisory and consultative capacity to consult and advise control owners on practical and technically accurate control design and implementation techniques based on requirements.
Focus on documenting and auditing security controls on in-scope systems in context of ISO-27001 certification and NIST 800-53 security program. The engineer will work on projects such as:
System hardening
Secure software development and threat modeling
Security System Architecture
Vulnerability Management
Configuration Management & Automation
Logging & monitoring systems
Endpoint Host Security
Work with rock star functional engineering talent to drive control review. Design and create frictionless in-depth system level documentation in support of the ISO-27001 and NIST 800-53 implementation.
Assess and interpret Information Assurance requirements to help design actionable, pragmatic and sustainable Information Security controls as required by the ISO-27001 and NIST 800-53 control framework.
Work with system owners and engineers to drive implementation and ongoing management of the ISMS control framework based on requirements.
Create high quality technical documentation (i.e. policies, procedures and standards, guidelines). Document control framework implementation in GRC tool with workflow to automate control review and data collection.
Facilitate and lead assessments to assess control posture and maturity. Stratify risks and operate a risk registry. Validate, prioritize and drive remediation of control gaps with system owners.
Facilitate and liaise with external auditors and stakeholders on audits and reviews.
Partner with internal stakeholders to support negotiations of Information Assurance contractual agreements with customers.
Assist with developing and delivering security awareness materials and training.
Communicate complex concepts with senior management, technical personnel, auditors and external stakeholders in a concise and professional manner.
Assist management with Information Assurance roadmap creation, execution and managing of expectations with all in-scope stakeholders.
Assist with meeting all other IT security compliance requirements.
Perform other tasks under the direction of management.
Basic Qualifications:
Bachelor's degree in information assurance/security/technology
Preferred Skills and Experience:
Master's degree in information assurance/security/technology and 6 years demonstrated working experience in Information Assurance, Security or Technology.
Broad knowledge and practical understanding of modern IT Infrastructure, DevOps and Agile Software Development.
Demonstrated competency evaluating and implementing Information Assurance controls based on recognized frameworks (e.g. ISO-27001/2, NIST SP-800 53, CNSSI 1253, DoD 5200/8500 series) in a high security environment.
Robust technical policy writing skills with a penchant for balancing requirements with practicality and first principles reasoning.
Very strong project management, presentation and communication skills.
In-depth knowledge of data protection and integrity, operating systems, network security, authentication, and security protocols.
Demonstrated success building trust with engineering teams to drive compliance requirements in an Agile and highly innovative environment.
Demonstrating experience auditing or assessing as many of the following: Linux (Debian/Ubuntu), Windows (7/2008/2012), Arista/Cisco switches, Palo Alto Firewalls, Elk Stack and configuration management tools such as Puppet.
Understanding of Agile software development methodology/tools (Scrum, Kanban, Jira), Version Control Systems and continuous integration processes (Jenkins, Bamboo). Knowledge of secure SDLC methodologies (i.e. BSIMM, DREAD, STRIDE).
Knowledge of compliance automation via GRC tool workflow and control automation techniques with scripting. Familiarity with scripting languages (Bash, Python) is desirable.
Certifications: ISO 27001 Lead Auditor/Implementer; CISA, CISM, CISSP, SANS GSEC, PMP
ITAR Requirements:
To conform to U.S. Government space technology export regulations, applicant must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State. Learn more about ITAR here.
SpaceX is an Equal Opportunity Employer; employment with SpaceX is governed on the basis of merit, competence and qualifications and will not be influenced in any manner by race, color, religion, gender, national origin/ethnicity, veteran status, disability status, age, sexual orientation, gender identity, marital status, mental or physical disability or any other legally protected status.
Applicants wishing to view a copy of SpaceX's Affirmative Action Plan for veterans and individuals with disabilities, or applicants requiring reasonable accommodation to the application/interview process should notify the Human Resources Department at (310) 363-6000.

Don't Be Fooled

The fraudster will send a check to the victim who has accepted a job. The check can be for multiple reasons such as signing bonus, supplies, etc. The victim will be instructed to deposit the check and use the money for any of these reasons and then instructed to send the remaining funds to the fraudster. The check will bounce and the victim is left responsible.

More Jobs

Security and Information Assurance Engineer
Los Angeles, CA ASRC Federal Holding Company
Staff Compliance and Certification Engineer
San Jose, CA Faraday Future
Information Security Threat and Vulnerability ...
San Francisco, CA First Republic
Information Assurance/Security Engineer III
San Diego, CA QinetiQ North America
Information Assurance Cyber Security Specialis...
Santa Maria, CA AT&T