Information Security Risk Analyst

• Execute end-to-end risk assessments across products, platforms, processes, and changes, following the RMF stages of Identification → Analysis → Evaluation and documenting impacted assets, threats, existing controls, vulnerabilities, and consequences.
• Apply consistent scoring using defined likelihood/impact scales (Low=1, Medium=2, High=3) and the Risk Score = Probability × Impact formula; determine Low/Medium/High levels per thresholds.
• Drive treatment decisions (mitigate/retain/avoid/share) and produce clear treatment plans with owners and dates. Manage acceptance and escalation based on criteria (e.g., Medium → Director; High → VP) and ensure approvals are recorded.
• Maintain the Risk Register with current statuses, residual risk, review dates, and evidence.
• Communicate results and treatment plans to stakeholders; keep two-way communication flowing and traceable.
• Monitor and trigger re-reviews when assets, threats, or vulnerabilities change; schedule periodic reassessments. Report posture and trends (e.g., risk distribution, SLA adherence, overdue treatments) at the cadence required.
• Flex to TPRM: perform vendor security assessments using our TPRM workflow when inbound volume is high or the dedicated resource is OOO; document results to the same standard as internal assessments.

What you’ll bring

• 2–5 years in InfoSec risk, GRC, or audit with heavy assessment operations focus (high volume, strict SLAs).
• Demonstrated familiarity with NIST RMF (SP 800-37), NIST 800-30, and control catalogs (e.g., 800-53); ISO 27005 a plus.
• Proven ability to follow a defined process with high accuracy and stamina; you like “closing loops” and maintaining consistency.
• Great written communication for treatment plans, acceptance memos, and stakeholder updates.
• Hands-on with GRC/risk tools (e.g., ServiceNow, Archer, OneTrust, custom trackers); strong spreadsheet hygiene.
• Comfortable assessing application/service changes, infrastructure, and vendors using structured questionnaires and evidence.
• Basic data chops for slicing risk data (pivoting, simple charts) and monitoring queues.

Qualifications Required

• 2–5 years hands-on experience running information security risk assessments in an operational capacity (NIST RMF / NIST SP 800-30).
• Proven ability to apply a predefined process consistently: intake → scoping → risk statement → likelihood/impact scoring → treatment → acceptance → register updates.
• Strong grasp of NIST SP 800-37 (RMF) and NIST SP 800-53 control families; ISO 27005 familiarity is a plus.
• Comfortable evaluating evidence: policies/standards, SOC 2 Type II, ISO/IEC 27001 certificates, penetration test reports, vulnerability scans, and cloud configuration artifacts. Experience managing a risk register and assessment queue with SLAs; high throughput without quality drift.
• Tooling fluency with GRC/risk platforms (e.g., ServiceNow GRC, Archer, OneTrust, or similar) and solid spreadsheet hygiene (filters, pivots, data validation).
• Clear, concise writing for risk statements, treatment plans, acceptance memos, and stakeholder updates.
• Strong understanding of core control domains: IAM, network & cloud security, application security, vulnerability management, logging/monitoring, incident response, and BC/DR.
• Bias for closure and attention to detail; able to run multiple assessments in parallel while maintaining consistency.