Information Security Engineer- PKI & Audit Engineering

About The Position

Requirements

• 7+ years of information security engineering, audit engineering, or security assurance experience in complex technical environments.
• Demonstrated experience auditing or assuring PKI and identity systems (e.g., Microsoft CA/AD CS, HSM-backed key management, certificate lifecycle, CRL/OCSP).
• Experience leading internal/external audits and interacting directly with auditors and customers; strong capability to produce defensible evidence and narratives.
• Hands-on understanding of identity, access management, and authentication systems across on-prem and cloud environments.
• Ability to assess secure architectures and validate technical controls spanning network, systems, and platform services.
• Strong written and verbal communication skills; ability to drive cross-functional remediation to closure.
• Ability to pass background investigation and attain/maintain Trusted Role access to company systems.
• U.S. Citizens only Due to customer requirements, U.S. Citizenship is required.
• Ability to gain and maintain Trusted Role is required

Nice To Haves

• Experience with Federal PKI (FPKI) Annual Review processes and/or Federal Bridge cross-certification audits.
• Experience with Kantara Initiative assessments (including NIST SP 800-63A/63B-aligned service criteria).
• Experience with ISO/IEC 27001, SOC 2 Type 2, Cyber Essentials, and customer security assessments.
• Experience building evidence automation (e.g., scripts, API-based data pulls, GRC workflow enablement, CI/CD-integrated evidence capture).
• Working knowledge of SIEM/logging architectures and File Integrity Monitoring (FIM) technologies; familiarity with tools such as Splunk and CrowdStrike.
• Experience with Jira/Confluence (or equivalent) for audit tracking, evidence management, and remediation workflows.
• Relevant certifications (one or more): CISSP, CISA, CISM, CMMC CCP/CCA, FedRAMP auditor/implementer (or equivalent).

Responsibilities

• Plan and execute the PKI internal audit program, including scoping, test procedures, evidence requests, control validation, and reporting.
• Lead Annual Review readiness and submission support for FPKI-related requirements, including coordination with engineering, operations, policy, and external stakeholders.
• Support Federal Bridge cross-certification activities and ongoing compliance obligations; translate CP/CPS and operational practices into audit-ready evidence.
• Lead and support Kantara assessments (e.g., Classic / Rev.3 as applicable) including criteria mapping, evidence compilation, and auditor coordination.
• Track PKI and identity audit findings, document corrective actions, and drive remediation through verification and closure.
• Lead and manage the calendar of internal and external audits and assessments (e.g., ISO 27001, SOC 2 Type 2, Cyber Essentials, firewall audit, user account management audit, customer/security validation processes).
• Own audit lifecycle management: scope definition, evidence request lists, control walkthroughs, sampling, issue management, and final report coordination.
• Develop and maintain audit control narratives that accurately reflect current architecture and operations.
• Partner with control owners across infrastructure, development, and business functions to ensure consistent evidence quality and timely delivery.
• Design and implement audit-support tooling and automation to reduce evidence collection burden and increase repeatability (e.g., system baselines, access reviews, configuration and logging attestations).
• Provide hands-on engineering support to validate technical controls for identity, access, network security, and platform services across on-prem and cloud environments.
• Create and maintain control test scripts, runbooks, and evidence pipelines aligned to audit criteria and internal standards.
• Support secure SDLC/DevSecOps practices by enabling auditable change management, traceability, and control verification.
• Perform security risk assessments and threat modeling for identity and high-impact systems to inform control design and audit priorities.
• Maintain and evolve PKI governance documentation, including Certificate Policy (CP) and Certification Practice Statement (CPS), ensuring alignment between policy and operations.
• Lead or support the Policy Management Authority (PMA) process, including change reviews, approvals, and documented decisions impacting IAM/PKI/OTP programs.
• Author and maintain information security policies, standards, and procedures supporting enterprise audits (e.g., access control, logging/monitoring, vulnerability management, incident response).
• Monitor relevant standards and regulatory drivers (e.g., NIST, FICAM/FPKI, FedRAMP Moderate, CMMC Level 2) and assess impact to security controls and audit obligations.
• Support physical security and badging program oversight, including reporting and audit evidence for facilities controls as applicable.
• Maintain and deliver targeted security and privacy awareness training relevant to trusted roles and audit obligations.

Benefits

• We believe in employee development: we promote internally and provide training and educational assistance
• We provide a fun, engaged workplace, with social and community-building events
• We offer comprehensive benefits and flexible time off plans
• Exostar is an Equal Opportunity Employment Employer. The company provides equal employment opportunities to all applicants without regard to race, color, religion, sex, national origin, age, marital status, disability status or genetic information. Exostar is committed to providing equal employment opportunities for all persons in all facets of employment including recruiting, hiring, compensation, promotion, training, benefits, transfers and working conditions.