Technical Security Risk & Governance Analyst

Hybrid in Harrisburg, PA, US • Posted 6 hours ago • Updated 6 hours ago

Contract Independent

Contract Corp To Corp

Hybrid

$65 - $70/hr

Tri-Force Consulting Services Inc

Fitment

Dice Job Match Score™

👤 Reviewing your profile...

Job Details

Skills

Amazon Web Services
Auditing
CISM
CISSP
Cisco Certifications
Cloud Computing
Cloud Security
Collaboration
Computer Science
Continuous Monitoring
Cyber Security
Dashboard
Data Analysis
Data Centers
Data Security
DevOps
Documentation
Encryption
Endpoint Protection
Google Cloud
Google Cloud Platform
HIPAA
ISACA
ISO 9000
Information Security
ISO/IEC 27001:2005
IT Operations
IaaS
Identity Management
Incident Management
Information Systems
Leadership
Legal
Management
Microsoft Azure
Microsoft Excel
Microsoft Power BI
Microsoft Windows
Network
Network Security
Onboarding
PCI DSS
PKI
PaaS
Presentations
Privacy
Procurement
ROOT
Regulatory Compliance
Regulatory Reporting
Report Writing
Reporting
Risk Assessment
Risk Management
SAP GRC
SIEM
SLA
SaaS
Security Architecture
Security Awareness
Security Clearance
Security Controls
Security+
System On A Chip
TAS
Telecommuting
Testing
Threat Modeling
Training
Vulnerability Management
Workflow

Summary

Job Title:OA/EISO -TAS1(795990)\Technical Security Risk & Governance Analyst
Client:Commonwealth of PA 2
Location:Dauphin County, Harrisburg

NOTE:Hybrid schedule - 2 days on-site per week in Harrisburg, Local candidates within 2 hours of office strongly preferred

Position Summary

The Technical Security Risk & Governance Analyst supports the state s cybersecurity program by performing risk assessments,control testing, and governance activities across enterprise systems,applications, networks, and cloud services. This role partners with IT,business owners, and audit teams to ensure security controls are designed,implemented, and operating effectively in alignment with state policy, NIST CSF/800-53, and other regulatory frameworks (e.g., CJIS, IRS Pub 1075, HIPAA, PCI DSS). The Analyst develops pragmatic recommendations, tracks remediation,and produces metrics for leadership and regulatory reporting.

Key Responsibilities

Risk Assessment & Control Assurance
Conduct technical security risk assessments for onprem, cloud (IaaS/PaaS/SaaS), and hybrid solutions; document risks,likelihood/impact, and recommended mitigations.
Perform control design/operatingeffectiveness testing against NIST CSF/80053, CIS Controls, ISO/IEC 27001, and agency security standards.
Support Authority to Operate (ATO) processes,security attestations, and continuous monitoring.
Facilitate threat modeling and security architecture reviews; advise on secure patterns (network segmentation, IAM,least privilege, encryption, logging).
Governance& Compliance
Maintain security policies, standards,procedures, and control libraries; align updates with legislative or regulatory changes.
Map agency controls to relevant mandates (e.g.,CJIS, IRS 1075, HIPAA, FERPA, PCI DSS, state statutes/policies) and track compliance gaps.
Coordinate internal/external audits; lead evidence collection, responses, and remediation plans.
Administer or contribute to GRC tooling for issues, exceptions, and risk registers.

Vulnerability& ThirdParty Risk
Establish governance for vulnerability management (SLAs, exception management, risk acceptance); monitor patching and remediation progress.
Perform vendor/security reviews (SaaS, MSPs,cloud providers), evaluate SOC 2/ISO certifications, and negotiate security clauses with procurement/legal.
Review data protection, encryption, and privacy risks in new procurements and major system changes.

Metrics,Reporting & Communication
Develop and maintain dashboards and performance indicators (risk posture, control maturity, vulnerability closure rates); brief leadership on trends and priorities.
Produce clear, actionable reports for technical teams and nontechnical stakeholders.
Promote security awareness and targeted training(e.g., secure configuration, privacy by design, thirdparty onboarding).

Incident& Change Advisory Support
Provide risk-informed guidance during incident response (root cause, control gaps, corrective actions).
Review change requests for security impacts;ensure appropriate testing, logging, and rollback plans.

Required Qualifications
Bachelor s degree in Information Security,Computer Science, Information Systems, or related field; OR equivalent experience.
1 3 years in information security, risk management, audit, or related technical role.

Preferred Qualifications(not required)
CISSP, CISM, CRISC, CGRC (CAP), Security+, CCSK/CCSP,CISA
Vendor/cloud certs (AWS/Azure/Google Cloud Platform security specialty) are a plus.

Knowledge
Security frameworks and regulations: NIST CSF/80053, CIS Controls, ISO 27001; familiarity with CJIS, IRS Pub 1075,HIPAA, FERPA, PCI DSS, and state policy.
Core security domains: identity and access management (IAM), network security, endpoint security, vulnerability management, logging/SIEM, encryption/PKI, secure DevOps.
Cloud security concepts (shared responsibility, CSPM, workload protection, KMS/CMKs, conditional access, zero trust).

Skills
Technical assessment and control testing;ability to validate configurations and interpret scan results
Risk analysis and documentation; creating practical risk treatment plans and exceptions with compensating controls.
Using GRC platforms; building workflows, control libraries, and risk registers.
Data analysis and dashboarding (Excel/Power BI),concise report writing, and presentation to executives.

Abilities
Translate technical findings into business risk terms and prioritized actions.
Collaborate across IT, operations, legal,procurement, and program areas; influence without authority.
Handle multiple assessments and deadlines;maintain confidentiality and sound judgment.
Continuous learning and adapting to new threats,technologies, and mandates.

Work Conditions & Requirements
Background check per state policy; may require CJIS/IRS Pub 1075 clearance depending on data systems.
Occasional travel to agency sites or data centers.
Participation in afterhours change windows or incident support as needed.
Hybrid/telework eligibility per agency policy.

Performance Measures
Ontime completion of risk assessments and control tests.
Reduction in high/critical findings; SLA adherence for remediation.
Audit outcomes (deficiency reduction, timely corrective actions).
Governance deliverables (policy refresh cycle,control library currency).
Stakeholder satisfaction and effectiveness of risk communications.

Employers have access to artificial intelligence language tools (“AI”) that help generate and enhance job descriptions and AI may have been used to create this description. The position description has been reviewed for accuracy and Dice believes it to correctly reflect the job opportunity.

Dice Id: 10115907
Position Id: 8889879
Posted 6 hours ago

Company Info

About Tri-Force Consulting Services Inc

Since 2000, Tri-Force Consulting Services has been an MBE/SDB certified IT consulting firm in the Philadelphia region. Tri-Force specializes in IT staffing, software development (web and mobile apps), systems integration, data analytics, system automation, cybersecurity, and cloud technology solutions for government and commercial clients. Tri-Force works with clients to overcome obstacles such as increasing productivity, increasing efficiencies through automation, and lowering costs. Our clients benefit from our three distinguishing core values: integrity, diligence, and technological excellence. Tri-Force is a six-time winner among the fastest-growing companies in Philadelphia and a four-time winner on the Inc. 5000 list of the nation's fastest-growing companies.

Create job alert

Never miss an opportunity! Create an alert based on the job you applied for.