Information Security Risk Analyst

Job Description:

We are seeking a skilled and motivated Risk Analyst to join our Security Operations team. This role involves participation in the full risk life cycle of identification, analysis, response and reporting on risks. Related tasks would include contributing to internal policy development, third-party risk management, conducting internal risk assessments and internal audit activities.

The ideal candidate is an early-career professional with attention to detail and an eagerness to learn. They are an active listener with strong analytical and problem-solving abilities to catalog and elements of risk and to see interrelated patterns. The work often involves documenting risk factors in a way so that when the time is appropriate, they can be addressed effectively, so clear communication is vital in this role.

Essential Functions:

• Identify risk through formal engagement and interactive collaboration with stakeholders
• Analyze identified risks for their potential impact or likelihood of occurrence to ensure material risks are prioritized
• Recommend response for material risks, such as mitigation, acceptance or transfer, where appropriate and demonstrate if there is a clear business case or return on investment for the recommended response
• Report on the current risk and control maturity to determine if response actions are effective in meeting the target residual risk levels
• Contribute to policy development when risks need to be remedied through tighter administrative control
• Support the Third-Party Risk Management program to perform initial review vendors for their security posture
• Monitor for emerging third-party risk
• Conduct internal Risk Assessments in support of the companys compliance and audit obligations
• Conduct internal audits to test compliance with various standards
• Conduct user access reviews for applications and systems to ensure compliance with the principle of least privilege

Core Duties:

• Conduct periodic risk assessments and working sessions to surface risks
• Independently, and in coordination with colleagues, perform regular review of outstanding risks to analyze them for changes in materiality
• Contribute to executive reports to the Risk Committee
• Support external audit efforts by providing evidence pertaining to risk, policy and third-party governance
• Stay current with evolving threats, vulnerabilities, and best practices through threat intelligence monitoring and external sources

Core Knowledge

• Understanding of risk factors and threat databases
• Familiarity with compliance and audit standards
• Foundational experience with IT systems and a wide range of technologies
• Understanding of relationship between administrative and technical controls
• Understanding of how to measure and track control effectiveness over time
• Skill in recognizing and categorizing types of vulnerabilities and associated attacks

Qualifications:

Basic Qualifications:

• Pervasive sense of curiosity about how risks can manifest from threats
• Experience with, or an eagerness to learn, GRC tools that help support work function
• Experience documenting complex situations in a way that conveys business impact
• Minimum of 2 years of experience in cybersecurity incident response or a related role

Preferred Qualifications:

• Professional certifications such as CRISC, CISSP, or CISA
• Experience conducting risk assessments
• Experience with vendor governance and policy development
• Experience developing and implementing a risk register
• Experience managing a business impact assessment inventory or critical applications

Core Competencies

• Business Continuity
• Risk Analysis
• Threat Analysis
• Vulnerability Assessment
• Concise Communication