Technical Security Risk & Governance Analyst

About The Position

Requirements

• Bachelor’s degree in Information Security,Computer Science, Information Systems, or related field; OR equivalent experience.
• 1–3 years in information security, risk management, audit, or related technical role.
• Security frameworks and regulations: NIST CSF/800‑53, CIS Controls, ISO 27001; familiarity with CJIS, IRS Pub 1075,HIPAA, FERPA, PCI DSS, and state policy.
• Core security domains: identity and access management (IAM), network security, endpoint security, vulnerability management, logging/SIEM, encryption/PKI, secure DevOps.
• Cloud security concepts (shared responsibility, CSPM, workload protection, KMS/CMKs, conditional access, zero trust).
• Technical assessment and control testing;ability to validate configurations and interpret scan results
• Risk analysis and documentation; creating practical risk treatment plans and exceptions with compensating controls.
• Using GRC platforms; building workflows, control libraries, and risk registers.
• Data analysis and dashboarding (Excel/Power BI),concise report writing, and presentation to executives.
• Translate technical findings into business risk terms and prioritized actions.
• Collaborate across IT, operations, legal,procurement, and program areas; influence without authority.
• Handle multiple assessments and deadlines;maintain confidentiality and sound judgment.
• Continuous learning and adapting to new threats,technologies, and mandates.
• Background check per state policy; may require CJIS/IRS Pub 1075 clearance depending on data systems.
• Occasional travel to agency sites or data centers.
• Participation in after‑hours change windows or incident support as needed.
• Hybrid/telework eligibility per agency policy.

Nice To Haves

• CISSP, CISM, CRISC, CGRC (CAP), Security+, CCSK/CCSP,CISA
• Vendor/cloud certs (AWS/Azure/GCP security specialty) are a plus.

Responsibilities

• Conduct technical security risk assessments for on‑prem, cloud (IaaS/PaaS/SaaS), and hybrid solutions; document risks, likelihood/impact, and recommended mitigations.
• Perform control design/operating‑effectiveness testing against NIST CSF/800‑53, CIS Controls, ISO/IEC 27001, and agency security standards.
• Support Authority to Operate (ATO) processes,security attestations, and continuous monitoring.
• Facilitate threat modeling and security architecture reviews; advise on secure patterns (network segmentation, IAM,least privilege, encryption, logging).
• Maintain security policies, standards,procedures, and control libraries; align updates with legislative or regulatory changes.
• Map agency controls to relevant mandates (e.g.,CJIS, IRS 1075, HIPAA, FERPA, PCI DSS, state statutes/policies) and track compliance gaps.
• Coordinate internal/external audits; lead evidence collection, responses, and remediation plans.
• Administer or contribute to GRC tooling for issues, exceptions, and risk registers.
• Establish governance for vulnerability management (SLAs, exception management, risk acceptance); monitor patching and remediation progress.
• Perform vendor/security reviews (SaaS, MSPs,cloud providers), evaluate SOC 2/ISO certifications, and negotiate security clauses with procurement/legal.
• Review data protection, encryption, and privacy risks in new procurements and major system changes.
• Develop and maintain dashboards and performance indicators (risk posture, control maturity, vulnerability closure rates); brief leadership on trends and priorities.
• Produce clear, actionable reports for technical teams and non‑technical stakeholders.
• Promote security awareness and targeted training(e.g., secure configuration, privacy by design, third‑party onboarding).
• Provide risk-informed guidance during incident response (root cause, control gaps, corrective actions).
• Review change requests for security impacts;ensure appropriate testing, logging, and rollback plans.

Benefits

• Health Care Plan (Medical, Dental & Vision)
• Retirement Plan
• Paid Time Off