Information Technology Security Eng...

Information Technology Security Engineer - SOC Audit & Compliance

Beghou is seeking a dedicated SOC Audit & Compliance Analyst to play a critical role in enhancing our organization's security control maturity and audit posture. This position serves as a vital link between technical security operations and governance/assurance requirements, ensuring that SOC-related security controls are not only documented but demonstrably effective through continuous testing, evidence validation, and cross-functional collaboration.

This role actively contributes to proactive risk reduction by facilitating timely remediation, improving audit outcomes, and fostering a culture of continuous compliance across our IT and security teams. Success will be measured by audit readiness, control reliability, and the ability to translate complex technical operations into clear, defensible audit evidence.

Key Responsibilities:

SOC Audit & Compliance

• Support SOC 2 (Type I & Type II), future ISO 27001 readiness, and internal security audits pertinent to SOC and IT operations.
• Map security and SOC controls to relevant frameworks, including AICPA Trust Services Criteria and ITGCs.
• Coordinate and manage the collection of audit evidence from SOC, endpoint, identity, and infrastructure teams.
• Conduct reviews of control design and operating effectiveness for SOC-adjacent controls.
• Track audit findings, risks, and remediation actions through to completion.
• Maintain a state of continuous audit readiness, moving beyond point-in-time compliance.

Vulnerability & Remediation Governance

• Collaborate with IT and GRC to support oversight of vulnerability management processes.
• Review and validate vulnerability findings identified through Nessus scans.
• Track remediation efforts against SLAs, compensating controls, and risk exceptions.
• Perform remediation validation testing following patching or configuration changes.
• Produce metrics on vulnerability compliance and generate audit-ready reports.

Endpoint & Device Security Compliance

• Support assurance of endpoint security controls across corporate devices utilizing Microsoft Intune.
• Validate the enforcement of: Device compliance policies, Security baselines, Patch and configuration standards.
• Provide audit evidence related to: Device enrollment, Configuration compliance, Endpoint protection integration (e.g., Defender ecosystem).
• Partner with endpoint teams during audits to articulate control design and operation.

Data Governance & Compliance

• Support data protection and information governance controls using Microsoft Purview.
• Assist with audits concerning: Data classification and labelling, DLP policy enforcement, Retention and records management, Insider risk and audit logging.
• Validate evidence of operational effectiveness for Purview-based controls.
• Maintain compliance documentation related to data security and privacy controls.

Documentation & Stakeholder Coordination

• Maintain SOC-related policies, standards, procedures, and control narratives.
• Translate technical SOC and security processes into audit-ready documentation.
• Collaborate effectively with: SOC Operations, Endpoint & IAM teams, Internal Audit, Risk & Compliance stakeholders.
• Prepare audit responses, management action plans, and status reports.

Qualifications:

• 2-6 years of experience in information security, IT audit, SOC governance, or security compliance.
• Hands-on experience with SOC audit or compliance activities.
• Working knowledge of: SOC 2 / ITGC concepts, Control testing and evidence collection.

Preferred Skills & Certifications:

• Familiarity with: ISO 27001, NIST CSF / 80053, AICPA Trust Services Criteria.
• Experience working with or supporting: Nessus (vulnerability scanning & remediation tracking), Microsoft Intune (device compliance / endpoint security assurance), Microsoft Purview (DLP, data classification, compliance tooling).
• Strong documentation, analytical, and stakeholder communication skills.
• Certifications (nice to have, not mandatory): CISA, ISO 27001 Foundation or LA, CRISC, Microsoft Security fundamentals.