Cybersecurity Risk and Compliance Analyst

Job Title: Cybersecurity Risk and Compliance Analyst (Onsite)

Location: Rockville MD

Duration: 12 Months

Job Pro le Summary

The Cybersecurity Risk Analyst is responsible for supporting and advancing the organizations Governance Risk and Compliance (GRC) functions. This role helps ensure regulatory compliance strengthens the overall security posture and drives risk management initiatives across systems networks and third-party vendors. The Analyst works closely with cross-functional teams to coordinate remediation e orts identify and assess vulnerabilities implement and validate security controls and enhance the organizations risk management compliance vulnerability and third-party risk management capabilities.

• Governance and Compliance:
  • Maintain the GRC framework in alignment with organizational policies and regulatory requirements including FERPA GLBA PCI-DSS and other privacy regulations.
  • Support compliance activities related to security frameworks such as NIST SP 800-171 CIS Controls and PCI-DSS.
  • Analyze requirements needed to comply with college policies and procedures industry standards and federal state and local regulations.
  • Conduct regular reviews assessments and updates of policies standards and procedures to re ect changes in frameworks regulations and industry standards.

• Risk Management:
  • Maintain and update the risk register with identi ed risks assessments mitigation strategies and status updates.
  • Evaluate and prioritize vulnerabilities based on severity risk exposure exploit likelihood and business impact.
  • Document risk exceptions in accordance with established policies ensuring proper review and approval work ows.
  • Document track and communicate risk exceptions to relevant stakeholders to promote transparency and understanding.
  • Perform risk assessments and prepare reports summarizing ndings and recommendations for management.
  • Monitor emerging risks industry trends and regulatory changes; recommend enhancements based on best practices.

• Security Controls Validation:
  • Validate the implementation and e ectiveness of security controls by conducting and participating in internal assessments and audits.
  • Collaborate with IT and security teams to remediate identi ed control gaps and track follow-up actions.

• Third-Party Risk Management:
  • Conduct assessments of third-party vendors including reviewing and validating security and privacy documents and compliance evidence.
  • Ensure vendors meet organizational risk security and compliance requirements.
  • Track vendor risks ndings and remediation activities as part of the third-party risk

management program.

• Vulnerability Management:
  • Conduct regular vulnerability scans and assessments across networks systems applications and cloud platforms.
  • Analyze scan results to identify security weaknesses miscon gurations and areas of elevated risk.
  • Correlate vulnerability data with current threat intelligence to assess exploitability and potential impact.
  • Continuously monitor the environment for new vulnerabilities zero-days and emerging threats.

• POA&M Management:
  • Maintain detailed tracking of vulnerabilities including deadlines remediation progress ownership and closure.
  • Develop manage and update Plans of Action and Milestones (POA&Ms).
  • Validate remediation actions to ensure vulnerabilities are e ectively resolved.
  • Participate in cross-functional remediation projects to ensure timely and e ective risk reduction.

• Reporting & Documentation:
  • Produce detailed reports on identi ed vulnerabilities severity levels business impact and remediation status.

• • Maintain documentation of assessment ndings remediation e orts compliance standards and audit requirements.
  • Present management summaries and dashboards for leadership and governance committees.

• • Deliver training sessions on risk management practices compliance requirements and security standards.
  • Conduct training sessions to raise awareness on vulnerabilities secure con gurations and mitigation best practices.
  • Foster a culture of compliance and risk awareness across the organization.

• Knowledge of cyber security and privacy industry including the technology used to protect the confidentiality integrity and availability of sensitive information.
• Working knowledge of security frameworks and regulatory requirements such as NIST SP 800-171 CIS Controls FERPA GLBA PCI-DSS and privacy standards.
• Knowledge appreciation and prioritization of principles and practices of project organization planning records management and general administration.
• Working knowledge of IT enterprise operations architecture and IT as a Service.
• Strong understanding of vulnerability management principles methodologies and tools
• Familiarity with patch management processes secure configuration standards and system hardening practices.
• Working knowledge of common threat vectors exploitation techniques and the vulnerability lifecycle.
• Knowledge of risk management concepts risk scoring risk registers and POA&M tracking.
• Familiarity with SOC reports third-party risk assessments and due diligence reviews.
• Ability to analyze vulnerability data correlate findings with threat intelligence and assess potential business impact.
• Skilled in interpreting scan results identifying false positives and validating remediation actions.
• Ability to perform root-cause analysis for recurring or high-risk findings.
• Strong attention to detail when documenting risks findings or compliance gaps.
• Ability to manage multiple assessments findings risks and remediation efforts simultaneously.
• Skill in writing policies standards processes and procedures.
• Skill in leading and/or conducting audits assessments or reviews of technical systems and processes.
• Effective verbal and written communication skills presentation and public speaking skills.
• Effective skills in developing and presenting educational or training programs.
• Effective planning organizational and multi-tasking skills with minimal supervision.
• Ability to think critically and analyze information and situations; present findings and make recommendations.
• Ability to identify compliance and security needs independent of management direction.

• Ability to grasp technical concepts at all levels of computer systems from system hardware components and architecture to system integration and implementations.
• Ability to work independently and as part of a team.
• Ability to advise train and motivate technical and non-technical individuals in regulatory compliance and information and systems security efforts.
• Ability to work effectively with an array of constituencies in a community that is both demographically and technologically diverse.
• Ability to communicate technical concepts and data to non-technical audiences.
• Ability to achieve goals through influence collaboration and cooperation.
• Ability to communicate complex information concepts or ideas in a confident and well-organized manner through verbal written and/or visual means.
• Ability to produce technical documentation.
• Ability to handle and maintain confidential information.
• Ability to exercise judgment when policies are not well-defined.
• Ability to think critically analyze issues and solve sensitive and complex problems under pressure.

• Bachelors degree from an accredited college or university with course work in cybersecurity and information technology or a related eld and/or any combination of education training and experience that provides the required knowledge and expertise to perform the essential functions of the position.
• Three years of information security experience including conducting risk assessments/audits/reviews of information systems and assessing and/or mitigating information security threats/risk and/or three years of working experience with security requirements systems security architecture as related to risk management.

• Decision Making
  • Decisions may a ect a work unit or area within a department. May contribute to business and operational decisions that a ect the department.
• Problem Solving
  • Problems are varied requiring analysis or interpretation of the situation. Problems are solved using knowledge and skills and general precedents and practices.
• Independence of Action
  • Results are de ned and existing practices are used as guidelines to determine speci c work methods and carries out work activities independently; supervisor/manager is available to resolve problems.
• Communication and Collaboration
  • Contacts and information are primarily within the jobs working group department and/or campus.
  • Contacts and information sharing are external to the jobs department but internal to the campus/campuses (i.e. other departments/campuses central administration/services such as Human Resources Payroll Finance Facilities Mail Services Student Services etc.)