IRM Analyst

About The Position

Requirements

• 3–5 years of experience in Information Security, Governance, Risk, and Compliance (GRC), or Enterprise Risk Management
• Experience performing risk assessments — including risk identification, inherent/residual risk scoring, and documentation of findings
• Experience identifying, documenting, and evaluating controls — including assessment of design adequacy and operating effectiveness
• Strong working knowledge of NIST CSF, NIST SP 800-30/39/53, and ISO/IEC 27005 — ability to use these frameworks as a library of controls and risk guidance
• Advanced proficiency in Excel/Google Sheets (pivot tables, VLOOKUP, complex formulas) for risk data analysis and reporting
• Jira proficiency — managing projects, creating workflows and dashboards, and using JQL
• Ability to write clear, concise, and defensible Risk Assessment Memos
• Obsessive attention to detail regarding data integrity and documentation quality
• Foundational understanding of cloud-native architectures and common technical controls (IAM, encryption, logging/monitoring, network segmentation) — with a commitment to building deeper technical fluency
• Awareness of AI risk concepts and willingness to develop expertise in emerging AI risk and regulatory landscape
• A strong track record of collaborating effectively across teams and levels
• Bachelor's degree in Cybersecurity, Information Systems, Business Administration, or a related field
• Certifications: At least, one of the following certifications is required - CRISC, CISM, CISSP, or CISA

Responsibilities

• Execute risk assessments under senior guidance - perform scoping, inherent risk scoring, control assessment, and residual risk calculation using established methodology
• Conduct risk identification intake, manage the flow of requests from Jira Service Desk and the Issue Intake Tracker, review incoming submissions against entry criteria, assign Risk IDs, and replicate validated risks into the Risk Register
• Act as the Triage Officer for incoming risk submissions, determine whether submissions represent strategic risks, operational issues, or duplicates. Filter noise to focus the team on signals
• Develop risk scenarios for in-scope assets by working with asset owners and risk owners , identify threat communities, threat events, and impact categories
• Draft Risk Assessment Memos that tell a cohesive story from risk statement to risk rating to actionable recommendation. Progressively build toward independently authored memos that require minimal review notes
• Monitor and flag emerging risk signals , including AI-related risks (model integrity, data poisoning, shadow AI, third-party AI dependencies) , and escalate with documented analysis for integration into the risk framework
• Identify and document controls that mitigate assessed risks , map controls to specific risk scenarios and applicable framework requirements (NIST SP 800-53, ISO 27001, SOC 2)
• Assess the design adequacy of controls , evaluate whether each control is appropriately designed to address the risk it is mapped to, and document findings with supporting rationale
• Assess the operating effectiveness of controls , collect and evaluate evidence to determine whether controls are functioning as designed over the assessment period, and document results
• Document control gaps and support remediation tracking , maintain clear records of where controls are missing, partially effective, or require compensating controls. Track remediation progress
• Maintain control-to-framework mappings to ensure risk assessment outputs directly support audit and certification evidence packages (FedRAMP, SOC 2, ISO 27001, PCI-DSS)
• Apply the established risk taxonomy and categorization methodology consistently across all assessed risks
• Process risk acceptance requests in Jira , validate completeness, ensure documented context and stakeholder sign-off, confirm time-bound conditions, and flag concerns to the Senior lead
• Maintain the Risk Register, risk inventory, and supporting trackers with obsessive attention to data integrity, no missing dates, undefined owners, or stale entries. A Risk Register with governance gaps is a program failure
• Contribute to KRI data collection and dashboard inputs , support accurate, timely reporting that feeds executive risk dashboards and governance forum materials
• Engage directly with technical stakeholders (engineering, product, infrastructure teams) during risk assessments , ask informed questions, gather evidence, and document findings
• Progressively build the technical fluency to lead stakeholder conversations independently , develop working proficiency in cloud-native architectures, SaaS security models, and common technical controls (IAM, encryption, network segmentation, logging/monitoring)
• Translate technical findings into clear, business-relevant risk language in all written work products
• Support drafting and maintaining risk procedures, guidelines, and assessment templates across the IRM program scope
• Execute governance hygiene , data quality, tracker maintenance, workflow adherence, evidence organization, and documentation standards
• Manage the risk assessment pipeline in Jira, create and maintain workflows, dashboards, and use JQL to track the assessment ticket lifecycle

Benefits

• equity
• participation in the employee stock purchase program
• flexible paid time off
• 20 weeks fully-paid gender-neutral parental leave
• fertility and adoption assistance
• 401(k) plan
• mental health counseling
• access to transgender-inclusive health insurance coverage
• health benefits offerings