Security Risk Analyst
The College Board, the national educational organization, is conducting a search for a Security Risk Analyst for our Information Security Governance, Risk and Compliance department. This position is based in our Reston, Virginia office.
Named by Fast Company as one of the most innovative education companies, the College Board is a mission-focused organization. This job requires a strong focus on improving educational opportunities and outcomes, particularly for disadvantaged students, in the context of a competitive business environment.
The ISGRC team helps support the College Board by maintaining and enforcing security policies and standards throughout the enterprise. All information security awareness and training, security governance, risk management and compliance activities (e.g., ISO 27001, PCI-DSS and SOC) are run by the ISGRC function.
The Security Risk Analyst’s role is to successfully identify, track, and mitigate risks throughout the College Board’s enterprise. These risk management activities are core to the College Board’s way of building our next-generation systems. In this role, you will build partnerships with the Information Technology and Operations teams to successfully achieve higher level College Board risk management goals as well as GRC departmental objectives. The role requires regular interaction with the Information Security Office (ISO) so previous experience within an Information Security department where you performed risk assessments, security controls assessments or other security assessment activities is a must.
This is a hands-on role where the Risk Analyst must work with a combination of executives, technical, and non-technical staff to:
- Support the Director of Risk Management in enhancing the security risk management function within the College Board
- Support and enhance information security risk management activities.
- Serve as an individual contributor towards risk identification, risk tracking, and related risk activities
- Support in achieving robust risk management, scoring, and treatment program
A successful candidate will have experience using a GRC tool and security risk management processes, including their relationship to information security practices. The candidate will be a great team player with the flexibility to help out wherever needed and be open to learning; have excellent project management skills, demonstrated an ability to support multiple initiatives simultaneously, and be a superb individual contributor who will achieve results while maintaining a high velocity of activity across the risk management program.
What you’ll do
- Supports College Board’s risk management programs (such as performing risk identification, risk scoring, risk mitigation, and risk interactions reviews)
- Provides analysis in risk treatment processes
- Uses risk models that bring perspective to business risks
- Sources and collects necessary data for College Board risk models
- Interprets risk data, analyzes results, and provides ongoing feedback and reports
- Works with the Director, Risk Management to translate risk management processes into technology platforms for successful risk mitigation
- Develops detailed information security risk mitigation plans including recommendations and thresholds for risk transference, risk acceptance, and risk reduction
- Presents ongoing status and performance of the College Board’s information security and risk management program to the Chief Risk Officer (CRO) and Senior Director ISGRC
- Maintains risk management documentation including waivers, exceptions, risk thresholds, risk heat maps, etc.
- Administer risk management tools and capabilities
- Performs risk assessments in partnership with other departments
- Manages relationships with the IT, Information Security, and other stakeholders
- Other duties as assigned.
- Maintains a professional working relationship throughout all levels of the enterprise including the Information Security Team, IT and Operations teams, and other significant contacts within the organization. Works closely with key IT stakeholders and business users for security program implementation and information collection and dissemination.
- Maintain regular contact with vendor security and support teams. Develops relationships with professional organizations. May work with partners, customers or other third-party contractors on items related to information security. Maintains contacts with third-party vendors for risk management purposes.
- Bachelor’s Degree in Business, Management, Computer Sciences, or equivalent prior work experience in a related field.
- A minimum of three (3) years in a computer related field, with at least two (2) in Information Security or information risk management in an enterprise setting
- Demonstrated competency in information security risk management in a cross-functional environment.
- Excellent client-facing and internal communication skills
- Strong understanding of risk management techniques such as: risk scoring, risk transference, setting risk appetites, mitigating controls, and risk register maintenance
- Basic understanding of information security risk management requirements from frameworks such as ISO 27001, COBIT, NIST-CSF, NIST 800-53, etc.
- Current Information Security Certification (e.g. CISSP, CRISC, CISM, CISA, or related security certification) preferred or the ability to attain one within 6 months of hire.
More about you
- Willingness/ability to work off-shifts (evening, night-time, weekend) as needed or required.
- Knowledge of risk assessment, compliance, policy management and business continuity processes
- Knowledge of enterprise IT technologies and non-functional requirements such as Identity and Access Management, Systems and Network Architecture; Cryptography; Patch and Vulnerability Management etc.
- Ability to work effectively in both an independent and team environment.
- Experience with performing short term planning sessions.
- Must have the ability to understand technical concepts and communicate security-related concepts to a broad range of technical and non-technical staff, security vendors, consultants and senior management.
- Possesses strong interpersonal and management skills.
- Excellent oral and written communication skills, with the ability to present and discuss technical information in a way that establishes rapport, persuades others, and gains understanding.
- Confidence and supportiveness as a member of security teams in working with business users in a cross-functional environment and a “can do” attitude.
- Excellent problem solving and analytical ability.
- Requires use of a wireless handheld device with messaging capability.
This position is subject to a background check.
The College Board is dedicated to the principle of equal opportunity and its programs, services and employment policies are guided by that principle.
We offer our employees an outstanding benefits package which includes 4 weeks of paid time off, a generous retirement savings plan, tuition reimbursement and ongoing professional development and training.
Our mission is to clear a path for all students to own their future.
The College Board is committed to diversity in the workplace and is an Equal Opportunity Employer. The College Board participates in E-Verify, a service of DHS and SSA, where required. Please understand that only qualified applicants will be contacted.