Cyber Risk Analyst

The Cyber Risk Analyst is responsible for assisting in the design, implementation, and governance of the second line information security framework, providing guidance and monitoring of 1st line IT Security and Technology control environment and teams. The Cyber Risk Analyst assists in maintaining IT risk management programs to ensure that information assets and associated technology, applications, systems, infrastructure, and processes are protected.

• Design and document tests of controls, process walkthroughs, and risk assessments.
• Ability to analyze and assess threats and rate risks.
• Be aware of changes to and new regulations and prioritize them in our environment.
• Research, understand, and interpret regulations and frameworks that relate to Cybersecurity and IT.
• Evaluate and provide guidance to IT Security and Technology teams related to their standards, processes, and controls.
• Write procedures supporting IT risk frameworks and procedures for 1st line Information Security and Technology teams to implement controls, monitor controls, and report on the control environment and any corresponding issues or risks.
• Develop and update compliance procedures and training materials.
• Assist in documenting and uploading issues to GRC tool and reporting on issue status.
• Perform interviews and ask questions to gather information necessary to perform reviews and risk assessments.
• Serve as a facilitator for audits, examinations, and other reviews.
• Work with policy and standards owners to ensure policies adequately cover compliance and regulatory obligations.
• Assess risk and compliance gaps of IT systems, processes, and procedures. Work with the appropriate teams to remediate those gaps.
• Manage multiple projects independently. Lead cross-functional teams, present information, recommend process improvements, implement processes, etc.
• Research, test, and recommend deployment of additional security processes and products.
• Expand job knowledge through participation in educational opportunities, reading professional publications, maintaining professional network, and participation in professional organizations.
• Develop relationships throughout business, including IT, IT Security, Risk, and Compliance to influence stakeholders.
• Interface with third parties as needed to assist with independent risks assessments or other services needed to improve the IT risk program and control environment.
• Provide analysis and continuous improvement of the GRC tool capability through lifecycle management best practices.
• Work closely with the legal, risk, and compliance teams to comply with applicable laws and regulations pertaining to information security and privacy.
• Prepare for and deliver presentations to management.
• Assists in risk and security testing and preparing for audits and examinations.
• Review and provide guidance and quality control for critical IT and information security related KRIs / KPIs reporting and processes.
• Perform other duties as assigned.

• 3+ years of similar or related experience in Information Security, IT Risk, or Compliance. Or 2+ years of experience in Information Security / IT Audit or related consulting / professional services.
• Understanding of or experience meeting IT security control and attestation standards (e.g., NCUA, FFIEC, NIST, PCI, ITIL, ISO 27001, SOC II, etc.).
• Experience drafting IT processes and controls.
• Understanding of large-scale networks.
• Experience with Archer or other GRC automation tools preferred.
• Credit Union or banking experience preferred.
• Awareness and understanding of the purpose of industry standard enterprise-wide information security technologies and concepts, including but not limited to: Application Security, Cloud Security (AWS), Data Loss Prevention, Security Event Management, GRC Tools, Threat and Vulnerability Management, and Identity and Access Management.

• Clear understanding of relevant information security governance, technical and security standards and regulations.
• Familiarity with industry security standards including NIST 800-53, NIST 800-171, NIST CSF 2.0, NIST 800-30, PCI DSS, ISO 27001 and ISO 27018 as well as current data privacy regulations, including GDPR and regional standards.
• Knowledge of networking and network security.
• Understanding of Secure SDLC and DevSecOps or security automation.
• Demonstrated experience in cybersecurity best practices, cybersecurity threats and risk mitigation and resolution with extensive working knowledge of large-scale IT environments that have a wide range of different technologies in a highly integrated technology landscape.
• Proven ability to work and implement in a fast-paced environment with multiple priorities which require strong project management and decision-making capabilities.
• Strong collaborative problem solving and customer service skills that demonstrate the ability to gather and analyze information and identify and resolve issues or improve processes in a timely manner.