Cyber Security Analyst - Third Party Risk Management, information security, SOC 2 Type II reports, ISO 27001 certifications, Risk assessments, Black Kite, Archer - State Exp must

Top Skills:

Strong understanding of cybersecurity principles, best practices, and control frameworks (e.g., NIST CSF, NIST 800-53).

Demonstrated ability to interpret SOC 2 Type II reports, ISO 27001 certifications, penetration test reports, and related third-party security documentation.

Experience conducting third-party, vendor, or technology risk assessments and identifying compensating controls.

Experience supporting or operating within a Third-Party Risk Management (TPRM) program.

Preferred Skills:

Working knowledge of Governance, Risk, and Compliance (GRC) platforms (e.g., Archer or similar tools)

Experience leveraging third-party risk monitoring tools (e.g., Black Kite)

Local, state, or federal government experience.

Job Description

This role will also support the development and maturation of the State s Third-Party Risk Management (TPRM) program, including the enhancement and operation of tools such as Black Kite. Additionally, the CSA3 will assist with evaluating cybersecurity waiver submissions requiring deeper technical analysis and will help maintain the statewide risk register to ensure tracking and remediation of risks that exceed the risk tolerance.

KNOWLEDGES, SKILLS, AND ABILITIES REQUIRED:

Strong understanding of cybersecurity principles, best practices, and control frameworks (e.g., NIST CSF, NIST 800-53).

Demonstrated ability to interpret SOC 2 Type II reports, ISO 27001 certifications, penetration test reports, and related third-party security documentation.

Familiarity with architectural review processes, cloud security concepts, and secure design principles.

Experience conducting third-party, vendor, or technology risk assessments and identifying compensating controls.

Experience supporting or operating within a Third-Party Risk Management (TPRM) program.

Working knowledge of Governance, Risk, and Compliance (GRC) platforms (e.g., Archer or similar tools) is strongly preferred.

Experience leveraging third-party risk monitoring tools (e.g., Black Kite) or similar platforms is desirable.

Strong analytical, technical writing, and documentation skills with the ability to clearly communicate risk to both technical and non-technical stakeholders.

Ability to manage multiple concurrent assessments while meeting deadlines in a fast-paced environment.

Strong organizational skills, attention to detail, and sound professional judgment in evaluating and documenting risk.

OPPORTUNITY TO DEVELOP IN THE POSITION BY GAINING:

Advanced expertise in technology-security review and third-party risk governance.

Hands-on experience building and maturing risk-management processes and tooling for a statewide cybersecurity program.

Exposure to procurement-related security evaluations and cross-department collaboration.