Senior Security Controls Engineer

About The Position

Requirements

• 7+ years in security engineering, systems engineering, or infrastructure engineering with a strong focus on security controls and hardening.
• Hands-on expertise with Windows and Linux hardening, identity controls, and endpoint security control configuration.
• Experience implementing benchmark-based configuration standards (e.g., CIS) and managing exceptions/risk acceptances.
• Strong understanding of networking fundamentals (segmentation, firewalls, proxies, routing) and how to apply compensating controls.
• Cloud security controls experience in Azure and/or AWS (IAM, network controls, logging, security services).
• Proficiency in scripting/automation (PowerShell and/or Python); familiarity with infrastructure as code (e.g., Terraform) preferred.
• Ability to translate risk into technical control requirements and document controls for audit and compliance purposes.
• Excellent written and verbal communication; ability to work across infrastructure, application, and governance teams.

Nice To Haves

• Experience with configuration management and compliance platforms (e.g., Intune, Group Policy, SCCM/MECM, Ansible, Chef, Puppet).
• Experience with vulnerability scanning and exposure management tools (e.g., Tenable, Qualys, Rapid7) and mitigation engineering workflows.
• Experience tuning EDR policies and implementing detection/response guardrails (e.g., Microsoft Defender for Endpoint, SentinelOne, CrowdStrike).
• Experience with SIEM/SOAR integration for control telemetry and automated response.
• Security certifications (one or more): CISSP, GIAC (GSEC/GCED/GCIA), CCSP, AZ-500, AWS Security Specialty, or equivalent.
• Prior work in regulated industries (financial services, healthcare) with control evidence expectations (SOC 2, PCI DSS, GLBA).

Responsibilities

• Engineer and maintain preventive and detective controls across endpoints, servers, network, identity, and cloud services (Azure/AWS).
• Lead configuration hardening initiatives using industry benchmarks (e.g., CIS) and establish secure configuration baselines for common platforms (Windows, Linux, network devices, cloud services).
• Design compensating controls for vulnerabilities that cannot be remediated through patching (e.g., configuration changes, isolation, access controls, WAF rules, EDR policy tuning, segmentation).
• Own the technical control lifecycle: control requirements → design → implementation → testing/validation → monitoring → continuous improvement.
• Develop and maintain control-as-code and automation (PowerShell/Python/Terraform/CI-CD) to deploy and enforce configurations consistently.
• Implement configuration compliance monitoring, drift detection, and remediation workflows; integrate with ticketing/ITSM for exception handling.
• Partner with Vulnerability Management to translate findings into durable mitigations (hardening, compensating controls, secure defaults) and reduce recurring exposure.
• Collaborate with SOC/IR to improve detections and containment policies aligned to threats and incidents; tune controls based on lessons learned.
• Produce audit-ready evidence: control narratives, diagrams, test results, screenshots/exports, and KPI dashboards.
• Maintain standards, procedures, and runbooks for control engineering; mentor junior engineers and provide technical leadership to cross-functional teams.

Benefits

• ACA provides equal employment opportunities (EEO) to all applicants for employment without regard to race, color, religion, gender, sexual orientation, gender identity or expression, national origin, age, disability, genetic information, marital status, amnesty, or status as a covered veteran in accordance with applicable federal, state and local laws.