Cyber Security Analyst

About The Position

Requirements

• Demonstrated experience in cybersecurity analysis, technology or architecture review, third-party or solution security evaluations, or related security-engineering activities. Familiarity with cybersecurity standards, control frameworks, and risk-management practices applicable to government environments is strongly desired.
• Strong understanding of cybersecurity principles, best practices, and control frameworks (e.g., NIST CSF, NIST 800-53).
• Demonstrated ability to interpret SOC 2 Type II reports, ISO 27001 certifications, penetration test reports, and related third-party security documentation.
• Familiarity with architectural review processes, cloud security concepts, and secure design principles.
• Experience conducting third-party, vendor, or technology risk assessments and identifying compensating controls.
• Experience supporting or operating within a Third-Party Risk Management (TPRM) program.
• Strong analytical, technical writing, and documentation skills with the ability to clearly communicate risk to both technical and non-technical stakeholders.
• Ability to manage multiple concurrent assessments while meeting deadlines in a fast-paced environment.
• Strong organizational skills, attention to detail, and sound professional judgment in evaluating and documenting risk.

Nice To Haves

• Working knowledge of Governance, Risk, and Compliance (GRC) platforms (e.g., Archer or similar tools)
• Experience leveraging third-party risk monitoring tools (e.g., Black Kite)
• Local, state, or federal government experience.

Responsibilities

• Conduct security reviews for new technologies, cloud services, applications, and proposed solutions.
• Review architectural diagrams to verify appropriate security controls, configurations, and data-protection mechanisms.
• Assess alignment with State of Maine security requirements and applicable regulatory or compliance standards.
• Develop and document risk assessments with actionable recommendations to support procurement and technology-adoption decisions.
• Review and analyze third-party cybersecurity attestations, including SOC 2 Type II, ISO 27001 certifications, external penetration tests, and security questionnaires.
• Identify control gaps, inherited risks, and areas requiring additional compensating controls.
• Coordinate with procurement, legal, and business stakeholders during vendor onboarding and technology evaluation.
• Assist in developing, enhancing, and maintaining the statewide TPRM program.
• Leverage and operationalize TPRM tools, including Black Kite, to support ongoing monitoring, vendor tiering, and risk scoring.
• Contribute to the creation of policies, processes, templates, and guidelines that mature the third-party risk-evaluation process.
• Utilize the Archer GRC platform to document risk assessments, waiver reviews, and remediation tracking activities.
• Support the continued implementation and refinement of Archer workflows related to enterprise risk management.
• Contribute to data quality, reporting accuracy, and process improvements to enhance risk visibility and governance maturity.
• Support the review of security waiver requests that require deeper technical analysis to evaluate risks of temporary control exceptions.
• Document findings, risk impacts, and recommended mitigation strategies to inform risk acceptance decisions.
• Assist in maintaining the statewide security risk register, ensuring risks are documented, categorized, and updated.
• Track remediation progress and validate completion for risks that exceed established tolerance thresholds.
• Collaborate with stakeholders to monitor deadlines, escalate overdue items, and verify mitigation plans remain effective.