Job Title: Technical Security Risk & Governance Analyst
Location: Harrisburg, PA
Position Summary:
The Technical Security Risk & Governance Analyst supports the state's cybersecurity program by performing risk assessments, control testing, and governance activities across enterprise systems, applications, networks, and cloud services. This role partners with IT, business owners, and audit teams to ensure security controls are designed,implemented, and operating effectively in alignment with state policy, NIST CSF/800-53, and other regulatory frameworks (e.g., CJIS, IRS Pub 1075, HIPAA, PCI DSS). The Analyst develops pragmatic recommendations, tracks remediation, and produces metrics for leadership and regulatory reporting.
Risk Assessment & Control Assurance:
- Conduct technical security risk assessments for on prem, cloud (IaaS/PaaS/SaaS), and hybrid solutions; document risks, likely hood/impact, and recommended mitigations.
- Perform control design/operating effectiveness testing against NIST CSF/800 53, CIS Controls, ISO/IEC 27001, and agency security standards.
- Support Authority to Operate (ATO) processes ,security attestations, and continuous monitoring.
- Facilitate threat modeling and security architecture reviews; advise on secure patterns (network segmentation, IAM, least privilege, encryption, logging).
Governance& Compliance:
- Maintain security policies, standards, procedures, and control libraries; align updates with legislative or regulatory changes.
- Map agency controls to relevant mandates (e.g. ,CJIS, IRS 1075, HIPAA, FERPA, PCI DSS, state statutes/policies) and track compliance gaps.
- Coordinate internal/external audits; lead evidence collection, responses, and remediation plans.
- Administer or contribute to GRC tooling for issues, exceptions, and risk registers.
Vulnerability & Third Party Risk:
- Establish governance for vulnerability management (SLAs, exception management, risk acceptance); monitor patching and remediation progress.
- Perform vendor/security reviews (SaaS, MSPs, cloud providers), evaluate SOC 2/ISO certifications, and negotiate security clauses with procurement/legal.
- Review data protection, encryption, and privacy risks in new procurements and major system changes.
Metrics, Reporting & Communication:
- Develop and maintain dashboards and performance indicators (risk posture, control maturity, vulnerability closure rates); brief leadership on trends and priorities.
- Produce clear, actionable reports for technical teams and non technical stakeholders.
- Promote security awareness and targeted training(e.g., secure configuration, privacy by design, third party onboarding).
Incident& Change Advisory Support:
- Provide risk-informed guidance during incident response (root cause, control gaps, corrective actions).
- Review change requests for security impacts; ensure appropriate testing, logging, and rollback plans.
Required Qualifications:
- Bachelor's degree in Information Security, Computer Science, Information Systems, or related field; OR equivalent experience.
- 1 3 years in information security, risk management, audit, or related technical role.
Never miss an opportunity! Create an alert based on the job you applied for.
