Senior Information Security & GRC Analyst

Senior Information Security & GRC Analyst

2 positions

Anticipated Starting Salary Range: $75,000 - $100,000

Starting Salary Commensurate with Qualifications and Experience

The State Corporation Commission’s (SCC) Health Benefit Exchange (HBE) division seeks two analysts interested in rewarding public service careers to join its Information Security team. One position is a Senior Information Security Analyst and one is a Senior Governance, Risk, and Compliance (GRC) Analyst. Both positions will work under the direction of the HBE Information Security Manager to safeguard the HBE’s consumer data and information and ensure compliance with state and federal regulations. These positions offer a hybrid work schedule (some in-office and telework days each week) as well as a variety of professional development and training opportunities.

Essential Functions & Responsibilities of the Senior Information Security Analyst position include, but are not limited to:

• Monitor, analyze, and report on security vulnerabilities and weaknesses.
• Perform complex security impact assessments, analyze, and report on the impact of requested system and framework changes to security posture and applicable controls.
• Remain informed of emerging threats, trends, and new security technologies and regularly present findings of impact to the Information Security team.
• Lead continuous improvement efforts, developing and presenting security training to team and division personnel.
• Mentor and train junior Security Analysts.
• Perform complex risk and threat assessments.
• Respond, coordinate, and monitor complex incident response activities.
• Coordinate and support 3rd party assessments and penetration tests.
• Assess system operations and security controls and make recommendations for improvements.
• Communicate and collaborate with vendors, HBE staff, partners, and other SCC divisions on complex security issues, updates, controls, and additional ad hoc items.
• Prepare reports on security findings, progress towards remediation of security related issues, and system trends.
• Perform related work as required.

Essential Functions & Responsibilities of the Senior Governance, Risk, and Compliance (GRC) Analyst position include but are not limited to:

• Coordinate with federal agencies, SCC internal teams, vendors, and 3rd parties to perform privacy and security assessments, audits, and other security and privacy compliances activities.
• Conduct complex audits of HBE partners and vendors to evaluate compliance with privacy and security requirements.
• Lead and participate in internal assessments to evaluate compliance with information security and privacy policies, procedures, regulations, and agreements.
• Monitor regulatory changes, evaluate impacts, and prepare reports and recommendations on compliance for security and privacy policies for HBE senior leadership.
• Review and update security and privacy control documentation to ensure it is accurate, up to date, and adheres to legal and regulatory requirements.
• Develop and present compliance findings from audits and assessments to HBE senior leadership and prepare remediation reports.
• Develop, update, and support implementation of data security and privacy protection policies and procedures.
• Coordinate with vendors and monitor complex security and privacy incidents.
• Contribute to continuous improvement efforts.
• Perform related work as required.

Preferred Qualifications

• 4 or more years of professional experience in information security; governance, risks and compliance (GRC); and/or audit and compliance.
• Considerable experience with risk assessments, risk and vulnerability management, and incident response activities is essential for the Senior Information Security Analyst position
• Considerable experience reviewing privacy and security controls, performing or coordinating security audits or assessments, and developing policy or procedure documentation is essential for the Senior GRC Analyst position.
• Familiarity with NIST 800-53 or other related security frameworks and/or with AWS or other cloud environments is required.
• Bachelor’s degree in information security, information systems, computer science, or a related field is preferred, but not required. In lieu of a bachelor’s degree, additional professional experience is required.
• Ability to research and remain up to date on regulatory compliance.
• Ability to work independently and as part of a team.
• Strong interpersonal skills and initiative.
• Ability to establish and maintain effective working relationships with SCC staff, industry personnel, auditors, and HBE partners and vendors.
• Excellent verbal and written communication skills.
• Strong problem-solving, analytical, and organizational skills.
• Ability to manage multiple priorities in a fast-paced environment.
• Experience with information security regarding the health insurance industry and/or the Affordable Care Act is a plus.
• CISA, CRISC, CGEIT, GRCP, CISM, or other related certifications are considered a plus

How to Apply

Interested candidates are strongly encouraged to apply by May 4, 2026.

Qualified internal and external candidates are encouraged to apply. If you are an external candidate, apply on the SCC Career Center website at https://careercenter.scc.virginia.gov. If you are an internal candidate, apply using eSCC (Oracle) - iRecruitment Employee Candidate.