AECOM IT Security Auditor in Arlington, Virginia

Requisition/Vacancy No. 146279BR

Position Title IT Security Auditor

Job Category Information Technology

Business Line Government

Country United States of America

State/Province/Region USA - Virginia

City Arlington

Why Choose AECOM? AECOM is a premier, fully integrated professional and technical services firm positioned to design, build, finance and operate infrastructure assets around the world for public- and private-sector clients. With nearly 100,000 employees — including architects, engineers, designers, planners, scientists and management and construction services professionals — serving clients in over 150 countries around the world, AECOM is ranked as the #1 engineering design firm by revenue in Engineering News-Record magazine’s annual industry rankings, and has been recognized by Fortune magazine as a World’s Most Admired Company. The firm is a leader in all of the key markets that it serves, including transportation, facilities, environmental, energy, oil and gas, water, high-rise buildings and government. AECOM provides a blend of global reach, local knowledge, innovation and technical excellence in delivering customized and creative solutions that meet the needs of clients’ projects. A Fortune 500 firm, AECOM companies, including URS Corporation and Hunt Construction Group, have annual revenue of approximately $19 billion. More information on AECOM and its services can be found at

About the Business Line


AECOM’s Global Support Services (GSS) organization resides within AECOM’s Government business line and is comprised of three divisions — International Development, Operations and Mission Support, and Global Programs. GSS has the international presence, personnel networks and procurement infrastructure to deliver support for any mission, anywhere. We optimize the reliability, availability and sustainability of equipment, logistics systems and facilities for clients around the world. GSS supports the U.S. Government, non-U.S. Governments and industry clients with worldwide program management, planning, design, operations and maintenance, logistics, aviation services, security, international development, environmental and civil engineering and mission and intelligence support.

Job Summary

AECOM is seeking an IT Security Auditor to join our team supporting the TSA in Arlington, VA

The IT Security Auditor will perform security tests and reviews on database, network, infrastructure and web applications to determine vulnerabilities, and recommend safeguards to mitigate risk to ensure applications and servers are operating in accordance with established policies and procedures.

You must be able to provide expertise and perform work to include but not be limited to IT security testing, risk assessments, incident response, and security awareness and information security vulnerabilities.

Provide security design, review, and recommendations for all enterprise Security technologies including firewall, router, VPN, IDS sensors, Proxy, wireless, PKI, and switch changes within the enterprise; Conduct Security testing, evaluation and analysis for Security Testing, and Evaluation (ST&E) of IT Systems; provide technical policy and standards review subject matter expertise; conduct vulnerability assessments on various types of networks and topologies; recommend remediation for Plan of Action & Milestone items, and assess the enterprise-wide infrastructure of the IT environment.

Minimum Requirements

Bachelors degree in electrical engineering, computer sciences, information systems, mathematics, or business administration and at least ten years professional experience in the subject matter (12 years experience total required without a degree) and a minimum of 5+ years of experience in C&A with a full understanding of the SDLC and FISMA process, security policy and technical standard development, secure infrastructure design reviews, multi-tiered trust zone structures, and complex internetworking through multiple-level network security structures.

This individual should be highly regarded by the professional community in which he/she practices, with possible university and/or research institute affiliation.

Requires experience with Federal IT systems and experience in the Certification and Accreditation process with a full understanding of the System Development Life Cycle and FISMA process.

Interim Secret or Secret OR Top Secret. Must be eligible to obtain a DHS security clearance (EOD) ; Active Top Secret strongly preferred

General Requirements:

•10 + years’ experience in Information Technologies (IT)

•5+ years’ experience in the Certification and Accreditation (C&A) process with a full understanding of the System Development Life Cycle and FISMA process.

•Experience in performing security assessment of network devices (router, switch, firewall configuration), servers, workstations, Web applications and databases.

•Experience in reviewing and testing documentation such as Systems Security Plans, Contingency Plans, Test Plans, Findings Matrices and Network Diagrams

•Strong Knowledge of NIST and FIPS security controls

•Experience conducting vulnerability testing on UNIX and Windows operating platforms

•Experience reviewing and understanding system security plans (SSP), network diagrams, standard operating procedures (SOP)s, and system design documents (SSD)

•Resources shall be able to proficiently articulate both written and verbally technical concepts to a variety of technical and non-technical audiences

•Experience with web development and web application implementation

•Web Application Penetration Tester experience

•Experienced with tools such as: Nessus, Nmap, Fluke Analyzer, Burp Suite, Kali Linux, HP WebInspect, IBM AppScan, and AppDetective

•Demonstrated oral/written communications and client facing skills

•Conduct vulnerability assessments across all aspects of IT Security on both government and contractor sites

•Assist in development of a technical audit program including designing templates, suggesting policy improvements, and aligning assessments to Federal policies

•Develop audit reports for senior executives to summarize the results of the audit

•Work well in a team environment, either as a small group lead or in a support role

•Possess excellent communication skills, both oral and written

•Test the management, operational, and technical security controls and identify undocumented or new vulnerabilities according to the following authorities:

  • DHS Sensitive Systems Policy Directive 4300A/B (MD 4300A and MD 4300B)

  • United States Government Common Baseline

  • Federal Information Processing Standard (FIPS) 199: Standards for Security Categorization of Federal Information and Information Systems

  • FIPS 200: Minimum Security Requirements for Federal Information Systems

  • NIST 800-53: Recommended Security Controls for Federal Information Systems

  • National Vulnerability Database

  • Best Practices, National Security Agency (NSA) Systems and Network Attack Center (SNAC);

  • DOD Security Technology Implementation Guidance

Approximate travel requirement up to 20%. Overnight and weekend work is required.

Preferred Qualifications

CISSP, CAP, CCNA, CISA, GIAC, CISM, CEH, or similar information security professional certification

What We Offer

AECOM is a place where you can put your innovative thinking and business skills into high gear and work alongside other highly intelligent and motivated people. It's a place where you can apply your skills to some of the world's most challenging, interesting, and meaningful projects worldwide. It's a place that values the diversity of our areas of practice and our people. It's what makes AECOM a great place to work and grow.

AECOM is an equal opportunity employer and Minorities, Females, Veterans, and Disabled persons are encouraged to apply. For further information, please click here at to view the EEO Is The Law poster.