Information Security Analyst-GRC LVL II

Job Title: Information Security Analyst - Governance, Risk & Compliance (GRC) Level II

This Information Security Analyst- Governance, Risk & Compliance (GRC) Level II role will design and implement a scalable Cloud and Third-Party Cybersecurity Risk Management Framework aligned with NIST, ISO 27001, and other relevant standards.

Key Requirements:

• Develop and maintain risk assessment procedures and questionnaires tailored for cloud services and third-party applications.
  
• Define security review workflows for vendor onboarding, contract renewals, and offboarding.
  
• Integrate cybersecurity risk activities with procurement, legal, and enterprise architecture processes.
  
• Conduct technical and compliance assessments focusing on:
  

• Data classification and regulatory alignment (e.g., HIPAA, CJIS, PCI, GDPR)
  
• Encryption standards and access controls
  

• Review vendor responses to security questionnaires and validate supporting documentation (e.g., SOC 2 reports, ISO certifications, penetration test results).
  
• Analyze risks associated with APIs, SaaS integrations, homegrown plug-ins, and third-party application stores.
  

Role and Responsibilities

• Collaborate with internal stakeholders to define third-party cybersecurity roles and responsibilities.
  
• Partner with legal and procurement teams to ensure contracts include appropriate security terms (e.g., data handling, breach notification, audit rights).
  
• Provide security guidance to project teams evaluating or implementing cloud-based or externally hosted solutions.
  

Scheduled Milestones and Deliverables 

• Support the development of cloud security baselines and governance controls.
  
• Recommend mitigation strategies and track remediation efforts.
  
• Evaluate cloud service configurations (e.g., AWS, Azure, Google Cloud, SaaS platforms) for alignment with enterprise security policies and industry best practices.
  

Metrics to be Utilized to Measure the Performance  

• Maintain and update a centralized inventory of critical cloud services and third-party vendors.
  
• Develop and present risk dashboards and executive-level summaries to communicate risk posture and assessment outcomes.
  
• Track security exceptions, risk acceptance approvals, and remediation timelines across third-party engagements.
  
• Participate in governance forums such as the Cybersecurity Review Committee (CRC) and provide input on vendor-related risks.
  

Requirements

Education:

• High School diploma, or G.E.D. equivalency from an accredited educational institution. - Required
  

• Bachelor's degree in Computer Science, Information Security, Information Technology, Risk Management, or similar area of study from an accredited college or university. - Preferred
  

Experience:

• (5)-Five years of work experience in an Information Security, Information Technology, Computer Science, IT Risk Management or related field.
  

Knowledge, Skills, and Abilities (KSAs):

• Experience designing, implementing, and executing IT Risk Management projects, cloud solutions, cybersecurity governance, and technologies across complex, large-scale environments.
  

• Ability to build and maintain strong relationships across departments/teams and effectively communicate information security risks and controls to stakeholders and leadership.
  

• A passion for cybersecurity, self-starter mentality, flexibility, and willingness to take on new challenges and ability to thrive in a team environment.
  

• Convictions, probation, or deferred adjudication for any Felony, and any Class A Misdemeanor 
  
• Convictions, probation, or deferred adjudication for a Class B Misdemeanor, if within the previous 10 years 
  
• Open arrest for any criminal offense (Felony or Misdemeanor) 
  
• Family Violence conviction