Information Security Risk Analyst
About The Position
The Information Security Risk Analyst is responsible for identifying, assessing, tracking, and communicating information security risks across the organization. This role supports a maturing cybersecurity program by managing acceptable enterprise and third-party risks and leading security training initiatives. About CivicPlus At CivicPlus, we strive to bring our company vision to life through innovation and collaboration. Supported by approachable leadership and transparent communication, we're empowered to make an impact on local government and the residents they serve. Grow your career alongside great people, where authenticity is welcome, successes are celebrated, and potential is nurtured.
Requirements
- 4 – 6 Years of experience in information security, cybersecurity, risk management, or related field
- Working experience managing enterprise/third-party risk assessments, risk registers, and security training programs.
- Working experience supporting compliance audits and certifications, including NIST 800-53 (FedRAMP/GovRAMP), ISO 27001, PCI, and/or SOC 2
- Security+, GSEC, or equivalent
- Strong understanding of cybersecurity risk management principles and methodologies (such as NIST 800-30), modern security control frameworks (such as NIST 800-53), and Cloud / SaaS risk management and considerations (AWS, Azure, GCP)
- Ability to translate and communicate technical risks into clear business impact for non-technical stakeholders, including metrics (KPIs/KRIs) reporting and presentation
- Development of risk management and assessment policy and procedure documentation
- Inquisitive mindset for continuous monitoring and improvement within a mature security program
Nice To Haves
- Bachelor’s degree in Cybersecurity, Information Security, Information Systems, Risk Management, or a related field (preferred)
Responsibilities
- Identify and translate inherent and residual risk through likelihood, impact, treatment plans, and ownership.
- Define and track risk and awareness key metrics to measure program effectiveness and communicate to leadership and governance committees.
- Conduct and manage enterprise information security risk assessment through recognized frameworks (including NIST 800-30) and maintain an information security risk register.
- Lead third-party security risk assessments for vendors, partners, and service providers through analysis of assurance documentation, security testing summaries, and security questionnaires.
- Maintain the information security risk register and third-party vendor risk inventory to track and monitor ongoing risks and approved exceptions.
- Develop and lead enterprise security awareness training, including phishing simulations and targeted role-based training for security education and reporting.
- Support internal and external security and compliance assessments through risk evidence and documentation.
- Partner closely with organizational functions and key stakeholders to understand and address organizational risks across systems and processes, and ensure security risks are understood, prioritized, and treated in alignment with organizational risk appetite.
Benefits
- Comprehensive health insurance
- dental insurance
- vision insurance
- Flexible Time Off
- 401(k) plan
- and more
Stand Out From the Crowd
Upload your resume and get instant feedback on how well it matches this job.
What This Job Offers
Job Type
Full-time
Career Level
Mid Level
