Security Lead / Architect
NeGD is currently inviting applications for the position of Security Lead / Architect on a contractual basis for a period of three years, which may be further extended based on the requirements of the project.
| Position | Security Lead / Architect |
| No. of Positions | 01 |
| Last Date | 27th July 2026 |
Responsibilities
Security Architecture Ownership
- Own the security architecture of the platform end-to-end — aligned to NIST CSF, Zero Trust Architecture, OWASP Top 10, ISO/IEC 27001:2022, CIS controls, CERT-In directions, and the DPDP Act 2023
- Define and approve platform-level security controls: RBAC, MFA for privileged roles, secrets management, audit logging, encryption in transit (TLS 1.3) and at rest (AES-256), certificate lifecycle, Kubernetes RBAC
- Approve threat models, secure design reviews, and residual-risk registers across the developer portal and all platform layers; sign off on security acceptance criteria per phase gate
- Own the Zero Trust implementation across identity, network, and workload layers
DevSecOps & Supply Chain Security
- Define standards for security gates in CI/CD pipelines — SAST, DAST, SCA, secrets scanning, container scanning — and approve their integration into golden path templates
- Own supply-chain security posture: SBOM generation, vulnerability scanning, artefact signing, image provenance, and admission control via Kyverno / OPA-Gatekeeper
- Approve policy-as-code frameworks and Kubernetes admission policies enforced across the platform
Client-Side Governance of the Agency’s Security Function
- Act as the technical authority over the agency’s security engineering resources on all security matters; review their deliverables against contracted scope and validation criteria
- Approve VAPT scope, findings, and remediation plans; approve pen-test reports before production rollout and after major consumer onboarding waves
- Review security posture dashboards, vulnerability management pipelines, threat detection workflows, and security audit/evidence packs delivered by the agency
Compliance, Audit & Data Protection
- Own ISO/IEC 27001:2022-equivalent ISMS coverage across the platform’s processes and personnel; ensure certification evidence is submitted and maintained through the engagement
- Operationalise DPDP Act 2023 compliance — consent architecture, data-principal rights procedures (access, correction, erasure), data minimisation, purpose limitation, retention and deletion, and cross-border transfer controls
- Conduct or approve Privacy Impact Assessments (PIAs) for sensitive flows, including AI analytics
- Own CERT-In compliance, including 6-hour incident reporting, log-retention obligations, and directions applicable to government platforms
- Own audit readiness — control mapping, evidence collection, gap analysis — for internal and external audits; support MeitY, STQC, and CAG audits
Security Operations & Incident Response
- Approve the security incident response framework — detection, triage, containment, eradication, recovery, and post-incident review — and its integration with the ITSM layer
- Approve runtime threat protection, secrets and credential risk management, and SIEM configurations delivered by the agency
- Own communication with CERT-In on reportable incidents; own breach notification within statutory timelines
Tenant-Facing Security Governance
- Approve tenant-specific security configurations — namespace isolation, RBAC policies, data-residency and classification requirements, dedicated deployment security posture
- Advise tenant administrators on security responsibilities under the federated custody model; support tenant-specific VAPT and audit requirements
AI Security & Emerging Threats
- Approve AI-integration security posture — prompt injection defence, RAG source integrity, PII redaction in conversation logs, model output filtering, adversarial input handling, and MITRE ATLAS-based risk assessment
- Define human-in-the-loop guardrails and audit logging for AI features across development, security, and operations use cases
Important Links
| Download Detailed Notification | Click Here |
| Apply Here | Click Here |
| Official Website | Click Here |
About National e-Governance Division (NeGD)
The National e-Governance Division (NeGD) is an independent business division under the Digital India Corporation, Ministry of Electronics and Information Technology. NeGD has been playing a pivotal role in supporting MeitY in Programme Management and implementation of e-Governance projects and initiatives undertaken by various Ministries/ Departments, both at the Central and State levels.
NeGD has been spearheading several innovative initiatives under the aegis of the Digital India Programme. Those have been developed keeping the vision areas of Digital India at the core- providing digital infrastructure as a core utility to every citizen, governance and services on demand and in particular, digital empowerment of the citizens of our country; some of these initiatives include DigiLocker, UMANG, Poshan Tracker, OpenForge Platform, API Setu, National Academic Depository, Academic Bank of Credits, Learning Management System.