Information Security Risk Assessor

Ashburn Consulting LLC is looking for an Information Security Risk Assessor to join us in providing support to Montgomery County Government Office of Technology and Enterprise Business Solutions (TEBS).

The objective of this task order is to obtain the services of a qualified Information Security Risk Analyst to support the Countys Governance Risk and Compliance (GRC) program. The Analyst will be responsible for identifying assessing and documenting risks associated with information systems technologies vendors and operational processes with a focus on promoting risk-informed decision-making and ensuring alignment with the Countys security policies and regulatory requirements.

Key responsibilities include:

• Conducting structured risk assessments reviewing internal controls evaluating third-party security attestations and supporting vulnerability and compliance activities.
• The Analyst will also process policy exception requests submitted through the Countys ServiceNow GRC module by validating submitted information conducting risk evaluations and preparing formal recommendations for approval or denial.
• The role requires close collaboration with cross-functional teams to enhance the Countys overall risk posture and ensure adherence to internal policies and external compliance mandates.

Scope of Work:

The Cyber Security Risk Analyst will support the Countys Governance Risk and Compliance (GRC) efforts by performing detailed risk evaluations and compliance assessments. The analyst will work primarily within the Countys ServiceNow GRC platform to review IT security policy exception requests assess vulnerabilities and support broader risk governance activities. Responsibilities include but are not limited to the following:

1. Cross-Functional Risk Support Responsibilities

• Collaborate with internal departments including IT legal compliance audit and business operations to identify assess and manage cybersecurity risks across the organization.
• Support vulnerability assessments by interpreting technical findings validating remediation efforts and ensuring alignment with policy.
• Participate in internal control evaluations to assess effectiveness and identify potential gaps based on relevant frameworks such as NIST 800-53 and ISO 27001.
• Assist with the design documentation and implementation of risk treatment plans ensuring appropriate mitigation strategies are in place and tracked through resolution.
• Contribute to audit preparation activities respond to information requests and support remediation of audit findings as needed.
• Use ServiceNow GRC functionality to support workflow management risk tracking and reporting.
• Recommend improvements to exception request workflows dashboards and system configurations where appropriate.

1. Policy Exception Review Process

• Review and assess policy exception requests submitted via the Countys ServiceNow GRC platform.
• Confirm the completeness consistency and accuracy of the information provided in the exception request form.
• Conduct detailed risk assessments for each exception request identifying relevant threats vulnerabilities likelihood of exploitation and potential impacts.
• Analyze the effect of granting exceptions on system security regulatory compliance and business continuity.
• Develop formal approval or denial recommendations based on the risk assessment and alignment with County policy and risk tolerance.
• Document all risk analysis decisions and recommendations in the ServiceNow GRC platform in accordance with County policy and audit standards.
• Present findings and recommendations to the CISO and designated approvers.
• Use ServiceNow GRC functionality to support workflow management risk tracking and reporting.
• Recommend improvements to exception request workflows dashboards and system configurations where appropriate.

Qualifications :

• Must be able to work On-Site 5 days a week in Montgomery County Maryland. (Possibility for a Hybrid Schedule in the future.)
• Candidates Must have at least 4-5 years of experience in Information Security Risk Assessment or another related Cyber Security / IT field.
• Must have at least one or multiple of the following Certifications:  

1. CISSP (Certified Information Systems Security Professional)
2. CRISC (Certified in Risk and Information Systems Control)
3. GRCP (GRC Professional Certification)
4. CISA (Certified Information Systems Auditor)
5. CGRC (Certified in Governance Risk and Compliance)

• Demonstrated hands-on experience with Governance Risk Compliance tools such as ServiceNow Riskonnect LogicManager RSA Archer.
• Strong understanding and application of cybersecurity risk management principles and control frameworks including NIST SP 800-53 NIST RMF 800-37 ISO 27001 HIPAA Security Rule PCI and FedRAMP.
• Demonstrated ability to conduct structured risk assessments to include the analysis of compensating controls residual risk determination application of quantitative risk models and providing formal recommendation regarding the acceptance or denial of exception requests.
• Demonstrated experience with the policy exception request process to include the intake/review of new exception requests to ensure completeness accuracy and consistency of the information provided follow up with requestors to obtain missing or unclear information performance of risk assessments approval/denial recommendations and stakeholder communications regarding risk acceptance
• Strong technical foundation with the ability to interpret network diagrams threat models vulnerability scan results and compliance assessment reports.
• Familiarity with risk qualification methodologies such as NIST ISO 27005 Factor Analysis of Information Risk (FAIR).
• Demonstrated ability to evaluate third-party System and Organization Controls (SOC) reports specifically SOC 1 Type II and SOC 2 Type IIfor completeness relevance and control alignment.
• Proven ability to contribute to third-party risk assessments compliance audits and the evaluation of internal security controls.
• Proven track record in performing the duties of an Information Security Risk Analyst including structured risk assessments and policy exception reviews.
• Track record of supporting policy exception management processes and risk tolerance assessments in complex regulatory environments.

Additional Information :

Equal Opportunity Employer/Veterans/Disabled. An Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race color religion sex sexual orientation gender identity national origin or protected veteran status

Ashburn Consulting is an Equal Opportunity Affirmative Action Employer.
In compliance with the American with Disabilities Act Amendments Act (ADAAA) if you have a disability and would like to request and accommodation in order to apply for a position with Ashburn Consulting please e-mail .