IT Security Risk Analyst II

About The Position

Requirements

• Bachelor’s degree in Cybersecurity, Information Security, Computer Science, Information Systems, or a related field
• 3 or more years of experience in IT security or risk management with direct third-party or vendor risk assessment ownership
• Demonstrated ability to independently deliver end-to-end risk assessments on schedule
• Broad understanding of information security risk beyond TPRM, including internal systems, projects, and policy exceptions
• Hands-on experience evaluating SOC 2, ISO certifications, SIG questionnaires, and penetration test results
• Practical knowledge of cloud environments and associated security controls
• Strong risk judgment with the ability to weigh evidence and make defensible determinations
• Clear written and verbal communication skills, able to articulate risk to technical and non-technical audiences
• Accountability for quality, accuracy, and timelines without constant oversight

Nice To Haves

• Certifications such as CRISC, CISA, CISM, CISSP, or cloud security credentials
• Experience in higher education or financial services environments
• Experience with TPRM programs aligned to NIST 800-171 or CMMC
• Knowledge of FERPA and GLBA as applied to third-party data sharing and sensitive data protection

Responsibilities

• Own and execute third-party and supplier risk assessments using NIST 800-171 and similar frameworks
• Independently scope assessments by identifying data flows, CUI exposure, inherent risk, and assessment approach
• Validate vendor controls and trace conclusions from inherent risk through residual risk with defensible rationale
• Review and analyze vendor evidence such as SOC 2 Type II reports, ISO 27001 certifications, SIG responses, and penetration test summaries
• Evaluate security controls across infrastructure, applications, and cloud environments including AWS and Azure, clearly identifying gaps
• Assess vendor criticality and business impact, including breach and termination scenarios
• Conduct OSINT research to inform third-party security posture and risk profile
• Deliver clear, actionable risk assessment reports, including executive summaries for leadership
• Partner with business units to translate technical risk into business impact and guide remediation efforts
• Contribute to internal risk assessments, exception-to-policy evaluations, and enterprise risk discussions
• Identify process gaps and propose practical improvements, including AI-driven efficiencies to enhance assessment quality and speed

Benefits

• medical, dental, vision, telehealth and mental healthcare
• health savings account and flexible spending account
• basic and voluntary life insurance
• disability coverage
• accident, critical illness and hospital indemnity supplemental coverages
• legal and identity theft coverage
• retirement savings plan
• wellbeing program
• discounted WGU tuition
• flexible paid time off for rest and relaxation with no need for accrual
• flexible paid sick time with no need for accrual
• 11 paid holidays
• other paid leaves, including up to 12 weeks of parental leave