Senior Security & Compliance Engineer
NeGD is currently inviting applications for the position of Senior Security & Compliance Engineer on a contractual basis for a period of three years, which may be further extended based on the requirements of the project.
| Position | Senior Security & Compliance Engineer |
| No. of Positions | 01 |
| Last Date | 30th July 2026 |
Responsibilities
Application Security Engineering & Secure Development
- Own the application security engineering practice for the AI capability programme — define secure coding standards, threat modelling methodology, secure design review process, and security acceptance criteria for pod services
- Conduct threat modelling and secure design reviews for each pod’s services and their integration surfaces (STRIDE, LINDDUN, or equivalent); document threats, mitigations, and residual risks
- Provide hands-on secure development guidance to pod engineers and Full-Stack Engineers on authentication and session design, authorisation patterns, input validation, output encoding, secure API design, secrets handling, and DPDPA-compliant consent and data-minimisation patterns
- Define encryption standards (AES-256 at rest, TLS 1.3 in transit, key management), tokenisation approaches, and secure data-handling patterns for classified, internal, and public workloads per the Government of India Data Classification Policy
- Review and approve authentication and authorisation designs, particularly for high-risk pods (Pod 4 identity verification, Pod 6 fraud detection), and Aadhaar-adjacent flows where applicable
- Advise on AI-specific security concerns — prompt injection defence, data poisoning risk, model extraction, adversarial input handling, output filtering, RAG source integrity — in coordination with the AI Safety Researcher and Product Managers
Security Testing
- Design and execute the application security testing programme — SAST, DAST, SCA, secrets scanning, dependency vulnerability management — integrated into the CI/CD pipelines maintained by DevOps/SRE
- Coordinate VAPT engagements for each pod’s services prior to production deployment, including scoping, vendor coordination, and remediation tracking
- Coordinate STQC or equivalent third-party security certification for citizen-facing services as required per ministry deployment
- Conduct manual security review, code audit, and configuration review for high-risk services and Aadhaar-adjacent flows
- Perform periodic security assessments of live services — access review, configuration drift, exposed secrets, dependency currency — and drive remediation
Compliance & Audit
- Own compliance evidence and audit artefacts across the programme — control mapping, evidence collection, gap analysis, and remediation tracking for ISO 27001, MeitY Security Policy and Guidelines, and CERT-In directions per LoE Sections 10.2, 12, and 13
- Operationalise DPDPA 2023 compliance across all pods — consent architecture review, data principal rights fulfilment procedures, retention and deletion procedures, cross-border transfer controls, and data-processor obligations
- Own the Responsible AI compliance artefacts required by LoE Section 12.3 and 13.6 — model cards, dataset sheets, and bias/hallucination/safety evaluation report structures — in coordination with pod leads (technical safety evaluation content is authored by the AI Safety Researcher; this role owns the compliance framing, publication cadence, and audit readiness)
- Manage the security-incident reporting process per LoE Section 10.4 — 24-hour breach reporting to NeGD/Government Entity, root-cause analysis, and 7-working-day corrective action report submission
- Maintain the risk register for security and compliance risks; feed into the programme risk register owned by Product Managers
- Prepare and support internal and external audits — evidence packages, control walkthroughs, auditor coordination
Cross-cutting
- Partner with DevSecOps/SRE Lead on the boundary between application security (this role) and infrastructure security (DevSecOps/SRE) — network policies, WAF rule design, secrets management standards, and audit-log architecture
- Advise the Product Managers and the AI/Solution Architect on security and compliance trade-offs in product and architectural decisions
- Contribute reusable security patterns, secure design templates, threat model libraries, and compliance runbooks to AIKosh and OpenForge for reuse across ministries
Important Links
| Download Detailed Notification | Click Here |
| Apply Here | Click Here |
| Official Website | Click Here |
About National e-Governance Division (NeGD)
The National e-Governance Division (NeGD) is an independent business division under the Digital India Corporation, Ministry of Electronics and Information Technology. NeGD has been playing a pivotal role in supporting MeitY in Programme Management and implementation of e-Governance projects and initiatives undertaken by various Ministries/ Departments, both at the Central and State levels.
NeGD has been spearheading several innovative initiatives under the aegis of the Digital India Programme. Those have been developed keeping the vision areas of Digital India at the core- providing digital infrastructure as a core utility to every citizen, governance and services on demand and in particular, digital empowerment of the citizens of our country; some of these initiatives include DigiLocker, UMANG, Poshan Tracker, OpenForge Platform, API Setu, National Academic Depository, Academic Bank of Credits, Learning Management System.