Cybersecurity Risk and Compliance Analyst

Job Profile Name: Cybersecurity Risk and Compliance Analyst

Job Profile Summary
The Cybersecurity Risk Analyst is responsible for supporting and advancing the organization s Governance, Risk, and Compliance (GRC) functions. This role helps ensure regulatory compliance, strengthens the overall security posture, and drives risk management initiatives across systems, networks, and third-party vendors. The Analyst works closely with cross-functional teams to coordinate remediation efforts, identify and assess vulnerabilities, implement and validate security controls, and enhance the organization s risk management, compliance, vulnerability, and third-party risk management capabilities.

Essential Functions
Governance and Compliance:
oMaintain the GRC framework in alignment with organizational policies and regulatory requirements, including FERPA, GLBA, PCI-DSS, and other privacy regulations.
oSupport compliance activities related to security frameworks such as NIST SP 800-171, CIS Controls, and PCI-DSS.
oAnalyze requirements needed to comply with client policies and procedures, industry standards, and federal, state, and local regulations.
oConduct regular reviews, assessments, and updates of policies, standards, and procedures to reflect changes in frameworks, regulations, and industry standards.

Risk Management:
oMaintain and update the risk register with identified risks, assessments, mitigation strategies, and status updates.
oEvaluate and prioritize vulnerabilities based on severity, risk exposure, exploit likelihood, and business impact.
oDocument risk exceptions in accordance with established policies, ensuring proper review and approval workflows.
oDocument, track and communicate risk exceptions to relevant stakeholders to promote transparency and understanding.
oPerform risk assessments and prepare reports summarizing findings and recommendations for management.
o Monitor emerging risks, industry trends, and regulatory changes; recommend enhancements based on best practices.

Security Controls Validation:
o Validate the implementation and effectiveness of security controls by conducting and participating in internal assessments and audits.
o Collaborate with IT and security teams to remediate identified control gaps and track follow-up actions.

Third-Party Risk Management:
o Conduct assessments of third-party vendors, including reviewing and validating security and privacy documents, and compliance evidence.
o Ensure vendors meet organizational risk, security, and compliance requirements.
o Track vendor risks, findings, and remediation activities as part of the third-party risk management program.

Vulnerability Management:
o Conduct regular vulnerability scans and assessments across networks, systems, applications, and cloud platforms.
o Analyze scan results to identify security weaknesses, misconfigurations, and areas of elevated risk.
o Correlate vulnerability data with current threat intelligence to assess exploitability and potential impact.
o Continuously monitor the environment for new vulnerabilities, zero-days, and emerging threats.

POA&M Management:
o Maintain detailed tracking of vulnerabilities, including deadlines, remediation progress, ownership, and closure.
o Develop, manage, and update Plans of Action and Milestones (POA&Ms).
o Validate remediation actions to ensure vulnerabilities are effectively resolved.
o Participate in cross-functional remediation projects to ensure timely and effective risk reduction.

Reporting & Documentation:
o Produce detailed reports on identified vulnerabilities, severity levels, business impact, and remediation status.
o Maintain documentation of assessment findings, remediation efforts, compliance standards, and audit requirements.
o Present management summaries and dashboards for leadership and governance committees.

Training & Awareness:
o Deliver training sessions on risk management practices, compliance requirements, and security standards.
o Conduct training sessions to raise awareness on vulnerabilities, secure configurations, and mitigation best practices.
o Foster a culture of compliance and risk awareness across the organization.

Required Knowledge, Skills and Abilities
Knowledge of cyber security and privacy industry, including the technology used to protect the confidentiality, integrity and availability of sensitive information. Working knowledge of security frameworks and regulatory requirements such as NIST SP 800-171, CIS Controls, FERPA, GLBA, PCI-DSS, and privacy standards.
Knowledge, appreciation and prioritization of principles and practices of project organization, planning, records management, and general administration.
Working knowledge of IT enterprise operations, architecture, and IT as a Service.
Strong understanding of vulnerability management principles, methodologies, and tools
Familiarity with patch management processes, secure configuration standards, and system hardening practices.
Working knowledge of common threat vectors, exploitation techniques, and the vulnerability lifecycle.
Knowledge of risk management concepts, risk scoring, risk registers, and POA&M tracking.
Familiarity with SOC reports, third-party risk assessments, and due diligence reviews.
Ability to analyze vulnerability data, correlate findings with threat intelligence, and assess potential business impact.
Skilled in interpreting scan results, identifying false positives, and validating remediation actions.
Ability to perform root-cause analysis for recurring or high-risk findings.
Strong attention to detail when documenting risks, findings, or compliance gaps.
Ability to manage multiple assessments, findings, risks, and remediation efforts simultaneously.
Skill in writing policies, standards, processes and procedures.
Skill in leading and/or conducting audits, assessments or reviews of technical systems and processes.
Effective verbal and written communication skills, presentation, and public speaking skills.
Effective skills in developing and presenting educational or training programs.
Effective planning, organizational and multi-tasking skills with minimal supervision.
Ability to think critically and analyze information and situations; present findings and make recommendations.
Ability to identify compliance and security needs independent of management direction.
Ability to grasp technical concepts at all levels of computer systems, from system hardwarecomponents and architecture to system integration and implementations.
Ability to work independently and as part of a team.
Ability to advise, train, and motivate technical and non-technical individuals in regulatorycompliance and information and systems security efforts.
Ability to work effectively with an array of constituencies in a community that is bothdemographically and technologically diverse.
Ability to communicate technical concepts and data to non-technical audiences.
Ability to achieve goals through influence, collaboration, and cooperation.
Ability to communicate complex information, concepts, or ideas in a confident and well-organizedmanner through verbal, written, and/or visual means.
Ability to produce technical documentation.
Ability to handle and maintain confidential information.
Ability to exercise judgment when policies are not well-defined.
Ability to think critically, analyze issues and solve sensitive and complex problems under pressure.

Minimum Education, Training and Experience Required:
Bachelor's degree from an accredited college or university with course work in cybersecurity and information technology or a related field, and/or any combination of education, training, and experience that provides the required knowledge, and expertise to perform the essential functions of the position.
Three years of information security experience including conducting risk assessments/audits/reviews of information systems and assessing and/or mitigating information security threats/risk and/or three years of working experience with security requirements, systems, security architecture, as related to risk management.

Competencies:
Decision Making
o Decisions may affect a work unit or area within a department. May contribute to business and operational decisions that affect the department.
Problem Solving
o Problems are varied, requiring analysis or interpretation of the situation. Problems are solved using knowledge and skills, and general precedents and practices.
Independence of Action
o Results are defined and existing practices are used as guidelines to determine specific work methods and carries out work activities independently; supervisor/manager is available to resolve problems.
Communication and Collaboration
o Contacts and information are primarily within the job s working group, department and/or center.
o Contacts and information sharing are external to the job s department, but internal to the center/centers (i.e. other departments/centers, central administration/services such as Human Resources, Payroll, Finance, Facilities, Mail Services, etc.)
oContacts and information sharing are internal/external to the client workspace for the primary reason of scheduling, coordinating services, collaborating, etc.

Required Industry Certifications:
At least one or more of the following relevant certifications is required:
Certified in Risk and Information Systems Control (CRISC)
Certified in Governance, Risk and Compliance (CGRC)
Certified Information Systems Security Professional (CISSP)
CompTIA Security+
CompTIA Cybersecurity Analyst (CySA+)
Certified Ethical Hacker) (CEH)
GIAC Vulnerability Assessment
Tenable/ Nessus certification