Job Description
Job Title:
Freelance IT Security Compliance Specialist Role Summary The Freelance IT Security Compliance Specialist will be responsible for reviewing, implementing, and documenting technical security controls across the organization's IT infrastructure to achieve and maintain compliance with the Cyber Essentials requirements. The role requires strong expertise in defining assessment scope and ensuring that all in-scope devices, systems, and software comply with mandatory security standards.
Key Responsibilities and Deliverables ::
1. Scope Definition and Asset Management Scope Establishment: Define the organizational scope and identify all IT infrastructure components included within the assessment boundary. Boundary Definition: Clearly document and agree upon the scope boundary, including relevant business units, network boundaries, and physical locations, in coordination with the Certification Body. Asset Management: Ensure effective asset management practices are in place as a core security function to support compliance with all five Cyber Essentials technical controls. In-Scope Coverage: Apply requirements to all relevant devices and services, including Bring Your Own Device (BYOD), home and remote working environments, cloud services (IaaS, PaaS, SaaS), and third-party accounts.
2. Implementation of Technical Controls A. Firewalls Firewall Deployment: Ensure all in-scope devices are protected by properly configured firewalls or network devices with firewall functionality. Secure Administration: Replace default administrative credentials with strong, unique passwords or disable remote administrative access where appropriate. Administrative Access Control: Restrict access to firewall administrative interfaces from the internet unless protected by Multi-Factor Authentication (MFA) or an IP allow list combined with strong password authentication. Rule Management: Enforce default blocking of unauthenticated inbound connections, document all approved inbound firewall rules with clear business justification, and remove unnecessary or unused rules. Remote Device Protection: Ensure software firewalls are enabled on devices operating in untrusted networks, such as public Wi-Fi environments. B. Secure Configuration Device and Account Management: Regularly review and remove or disable unnecessary user accounts (including guest accounts) and change default or easily guessable passwords. Software Hardening: Remove or disable unnecessary software, applications, utilities, and network services. Device Locking Controls: Implement appropriate device locking mechanisms (e.g., biometric authentication, passwords, or PINs) requiring physical presence. Ensure protections against brute-force attacks, such as attempt throttling (maximum of 10 attempts within 5 minutes) or device lockout after 10 failed attempts. C. Security Update Management (Control 3) Software Support Status: Confirm that all in-scope software is licensed and supported. Remove unsupported software or isolate it within a defined subset where removal is not feasible. Patch Management: Enable automatic updates where possible and maintain documented patching procedures. Vulnerability Remediation: Ensure that all security updates addressing vendor-rated critical or high-risk vulnerabilities, or those with a CVSS v3 base score of 7.0 or higher, are applied within 14 days of release. D. User Access Control (Control 4) Account Provisioning: Establish formal processes for user account creation, approval, and authentication using unique credentials prior to granting access. Account Lifecycle Management: Promptly remove or disable user accounts and privileged access when no longer required, such as during role changes or employee exits. MFA Enforcement: Implement Multi-Factor Authentication wherever available, ensuring that all cloud service access is protected by MFA. Privileged Access Management: Use dedicated administrative accounts exclusively for privileged activities, with no routine activities such as web browsing or email usage. Password Standards: Where passwords are used, enforce technical controls to ensure password quality, including a minimum length of 12 characters, or at least 8 characters combined with automated blocking of commonly used passwords via a deny list. E. Malware Protection (Control 5) Malware Defense: Ensure that all in-scope devices are protected by an active and effective malware protection mechanism. Configuration and Updates: Configure anti-malware solutions in accordance with vendor recommendations, ensuring regular updates, prevention of malware execution, blocking of malicious code, and protection against connections to malicious websites. Application Allow Listing: Where applicable, implement application allow listing to permit only approved, code-signed applications to execute, and maintain an up-to-date list of approved software.
Required Experience and Knowledge In-depth understanding of the five technical control areas defined under the Cyber Essentials scheme. Proven experience in implementing security controls for BYOD environments and cloud services, including IaaS, PaaS, and SaaS platforms. Strong knowledge of secure authentication practices, including Multi-Factor Authentication (MFA) and protections against brute-force attacks.
