Exostar is hiring an Information Security Engineer

Serve as senior-level lead auditor and audit engineer for Identity Access Management (IAM) assurance initiatives.. Manage internal and external audit programs including FPKI Annual Review, Kantara certification, ISO/IEC 270001, SOC 2 Type 2, and Cyber Essentials.. Integrate security risk assessments and threat modeling into audit planning and outcomes.

Responsibilities

• Design and execute the internal PKI audit program, covering scope definition, test procedures, evidence collection, control validation, and reporting.
• Lead preparation and submission support for FPKI Annual Review, coordinating with engineering, operations, policy teams, and external parties.
• Support Federal Bridge cross-certification efforts and ongoing compliance, translating Certificate Policy and Certification Practice Statement into audit-ready documentation.
• Lead or assist with Kantara assessments, including mapping criteria, compiling evidence, and coordinating with auditors.
• Track findings from PKI and identity-related audits, document corrective actions, and oversee remediation until closure.
• Manage the schedule for internal and external audits and assessments, including ISO 27001, SOC 2 Type 2, Cyber Essentials, firewall reviews, user access audits, and customer validation processes.
• Own end-to-end audit lifecycle management, including scoping, evidence requests, control walkthroughs, sampling, issue tracking, and final report coordination.
• Develop and maintain control narratives that reflect current system architecture and operational practices.
• Collaborate with control owners across infrastructure, development, and business units to ensure high-quality, timely evidence submission.
• Design and deploy tools and automation to streamline evidence collection, improve consistency, and reduce manual effort for audits.
• Provide technical engineering support to verify identity, access, network, and platform security controls in both on-premises and cloud environments.
• Create and maintain test scripts, runbooks, and automated evidence pipelines aligned with audit requirements and internal standards.
• Support secure software development practices by enabling auditable change processes, traceability, and control validation in DevSecOps workflows.
• Conduct security risk assessments and threat modeling for identity systems and high-impact platforms to guide control design and audit focus.
• Maintain and update PKI governance documents such as Certificate Policy and Certification Practice Statement to ensure operational alignment.
• Lead or participate in Policy Management Authority (PMA) activities, including change reviews, approvals, and documentation for IAM, PKI, and OTP programs.
• Write and maintain information security policies, standards, and procedures related to access control, logging, vulnerability management, and incident response.
• Monitor evolving standards and regulations such as NIST, FICAM/FPKI, FedRAMP Moderate, and CMMC Level 2, and assess their impact on security controls and audit obligations.
• Support oversight of physical security and access badge programs, including audit reporting and evidence collection for facility controls.
• Develop and deliver targeted security and privacy training for roles with audit and compliance responsibilities.

Requirements

• Minimum of 7 years of experience in information security engineering, audit engineering, or security assurance within complex technical environments.
• Proven experience auditing or assuring PKI and identity systems, including Microsoft Certificate Authority, HSM-based key management, certificate lifecycle, and CRL/OCSP validation.
• Experience leading internal and external audits and directly interfacing with auditors and customers, with strong ability to produce defensible evidence and narratives.
• Hands-on knowledge of identity and access management systems across on-premises and cloud platforms.
• Ability to evaluate secure system architectures and validate technical controls across network, system, and platform layers.
• Strong written and verbal communication skills, with demonstrated ability to lead cross-functional teams to remediate findings.
• Eligible to pass a background investigation and obtain or maintain Trusted Role access to internal systems.
• U.S. Citizenship is required due to customer contractual obligations.
• Must be able to obtain and retain Trusted Role status; U.S. Citizenship is mandatory per customer requirements.

Nice to Have

• Experience with Federal PKI (FPKI) Annual Review processes or Federal Bridge cross-certification audits.
• Familiarity with Kantara Initiative assessments and NIST SP 800-63A/63B-aligned service criteria.
• Prior experience managing ISO/IEC 27001, SOC 2 Type 2, Cyber Essentials, or customer security assessments.
• Experience developing automated evidence collection solutions using scripts, APIs, GRC integrations, or CI/CD pipelines.
• Working knowledge of SIEM and logging architectures, and File Integrity Monitoring (FIM) tools such as Splunk and CrowdStrike.
• Experience using Jira and Confluence or similar tools for audit tracking, evidence management, and remediation workflows.
• Hold one or more relevant certifications such as CISSP, CISA, CISM, CMMC CCP/CCA, or FedRAMP auditor/implementer credentials.

Tech Stack

Microsoft CA/AD CS, HSM-backed key management, Certificate lifecycle management, CRL/OCSP, Splunk, CrowdStrike, Jira, Confluence, GRC platforms, CI/CD pipelines, APIs, Cloud environments, On-prem systems, SIEM, File Integrity Monitoring (FIM)

Benefits

• Comprehensive benefits package
• Flexible time off policies
• Employee development and internal promotion opportunities
• Training and educational assistance programs
• Engaging and enjoyable workplace culture
• Social and community-building events

Compensation

Not specified

Work Arrangement

hybrid — Herndon, Virginia — In office 3x/week

Team

Member of the Information Security Office

• Employee development
• Promotion from within
• Training and educational assistance
• Fun, engaged workplace
• Social and community-building events
• Equal opportunity employment

Additional Information

• U.S. Citizenship is required due to customer contractual obligations.
• Ability to pass a background investigation and maintain Trusted Role access is mandatory.
• This position operates in a hybrid model with a requirement to be in the office three days per week.
• The organization is an Equal Opportunity Employer.
• Operates in highly regulated sectors including Aerospace and Defense and Life Sciences.
• Builds secure, cloud-based collaboration communities for trusted partners.
• Uses community data to generate insights and intelligence that reduce risk and improve operational efficiency.