IT Risk Analyst, Intermediate

About The Position

Requirements

• Minimum requirements include a college or university degree in related field.
• Minimum requirements include knowledge and skills developed through 2-5 years of work experience in a related job discipline.

Nice To Haves

• Associates degree in computer science, information technology, or related field.
• Prior experience in information management or related field.
• Background with vulnerability management product such as Qualys, Nessus, or Rapid7 InsightVM.
• Working knowledge with legal, security or compliance frameworks such as FERPA, HIPAA, PCI-DSS, NIST 800-53r4, or similar.
• Excellent verbal and written communication skills, especially in conveying technical concepts to a non-technical audience.
• Handle multiple tasks and substantial deadline pressure.
• Respond to changing priorities and operate effectively in a dynamic environment.
• Weigh business needs against security concerns.

Responsibilities

• Conducts risk assessments of business and IT environments to identify and address impacts to university objectives.
• Leads strategic security framework evaluations and recommends improvements to overall security posture.
• Performs NIST 800-171 and CMMC Level 1 assessments for regulatory compliance and data protection.
• Conducts NIST 800-53 Physical and Environmental Controls assessment to safeguard critical infrastructure.
• Researches and recommends complex risk scenarios based on organizational structures, policies, standards, technology, and controls to determine the likelihood and impact of identified risks.
• Evaluates control gaps against university policies, standards, and architecture, quantifies risk likelihood and business impact, and provides detailed, data-driven mitigation strategies to inform and guide executive leadership decision-making.
• Designs and develops comprehensive remediation plans for uncovered risks.
• Maintains and enhances systems, develops specialized tools, and configures products for efficient tracking and management of the university’s information security program portfolio.
• Restructures and formalizes the Risk Acceptance Letter process by establishing clear documentation, assigning owners, tracking remediation, and prioritizing efforts according to compliance and operational significance.
• Provides expert guidance and oversight on security requirements and controls for major university projects, ensuring that appropriate security controls are implemented, tracked, and validated.
• Reviews active projects, such as Phoenix AI, Globus CMMC and 800-171 assessments, and SFA CSF 2.0, delivering strategic security guidance, monitoring control implementation, and verifying effectiveness to mitigate potential security gaps.
• Conducts comprehensive assessments of IT environments to ensure adherence to established configuration and management guidelines.
• Performs in-depth evaluations as part of SFA CSF 2.0, NIST 800-171, CMMC Level 1, and NIST 800-53 assessments, identifying gaps or inconsistencies and recommending corrective actions to maintain a robust security and compliance posture.
• Strategically consults with stakeholders across the University to design and refine security processes, guidelines, and achieve security or compliance goals for projects, implementations, and RFPs.
• Provides targeted security guidance, supports process and control implementation aligned with SFA CSF 2.0, NIST 800-53, NIST 800-171, and CMMC frameworks, and ensures compliance with University standards.
• Critically reviews vendor contracts, project plans, and governing frameworks to identify security or compliance gaps, offering actionable recommendations for amendments or adjustments to align with University policies and regulatory requirements, and minimize risk exposure.
• Investigates and researches emerging security issues, contributing to IT Security communications and awareness initiatives.
• Documents internal processes and authors security standards and guidelines utilizing SFA CSF 2.0, NIST, and CMMC frameworks.
• Develops and disseminates University-wide security awareness materials, leads key events such as the Cybersecurity Symposium and lunch and learn sessions, and produces monthly training metric reports for leadership.
• Recommends and implements process and system enhancements to strengthen data systems security, identifying governance, process, and technical control gaps, and supporting improvements to elevate security posture, system integrity, and data protection.
• Communicates proactively with user communities to understand their security needs, supports the implementation of tailored procedures, and ensures alignment with required security protocols.
• Provides comprehensive guidance facilitating user education and compliance to reduce risk exposure.
• Provides subject-matter expertise and mentorship, including guiding interns on projects such as BitSight and supporting additional University security initiatives.
• Collects and analyzes security metrics, such as CrowdStrike, Information Security training, and RT ticket data, to inform compliance efforts and strategic security decisions.
• With moderate direction from others, performs procedures necessary to ensure the safety of information systems.
• Monitors system activity and identifies potential threats.
• Responds to detected and reported security violations.
• Researches, recommends, and implements changes to procedures and systems to enhance data systems security.
• Performs other related work as needed.

Benefits

• The University of Chicago offers a wide range of benefits programs and resources for eligible employees, including health, retirement, and paid time off.
• Information about the benefit offerings can be found in the Benefits Guidebook.