Cybersecurity Risk Analyst
*Local within 2 hours of Harrisburg, PA preferred
*This is a hybrid position with 2 days/week onsite
Description:
- The Technical Security Risk Governance Analyst supports the states cybersecurity program by performing risk assessments control testing and governance activities across enterprise systems applications networks and cloud services.
- This role partners with IT business owners and audit teams to ensure security controls are designed implemented and operating effectively in alignment with state policy NIST CSF/800-53 and other regulatory frameworks e.g. CJIS IRS Pub 1075 HIPAA PCI DSS.
- The Analyst develops pragmatic recommendations tracks remediation and produces metrics for leadership and regulatory reporting.
Responsibilities:
Risk Assessment Control Assurance:
- Conduct technical security risk assessments for on prem cloud IaaS/PaaS/SaaS and hybrid solutions document risks likelihood/impact and recommended mitigations.
- Perform control design/operating effectiveness testing against NIST CSF/80053 CIS Controls ISO/IEC 27001 and agency security standards.
- Support Authority to Operate ATO processes security attestations and continuous monitoring.
- Facilitate threat modeling and security architecture reviews advise on secure patterns network segmentation IAM least privilege encryption logging.
Governance Compliance:
- Maintain security policies standards procedures and control libraries align updates with legislative or regulatory changes.
- Map agency controls to relevant mandates e.g. CJIS IRS 1075 HIPAA FERPA PCI DSS state statutes/policies and track compliance gaps.
- Coordinate internal/external audits lead evidence collection responses and remediation plans.
- Administer or contribute to GRC tooling for issues exceptions and risk registers.
Vulnerability Third Party Risk:
- Establish governance for vulnerability management SLAs exception management risk acceptance monitor patching and remediation progress.
- Perform vendor/security reviews SaaS MSPs cloud providers evaluate SOC 2/ISO certifications and negotiate security clauses with procurement/legal.
- Review data protection encryption and privacy risks in new procurements and major system changes.
Metrics Reporting Communication:
- Develop and maintain dashboards and performance indicators risk posture control maturity vulnerability closure rates brief leadership on trends and priorities.
- Produce clear actionable reports for technical teams and nontechnical stakeholders.
- Promote security awareness and targeted training e.g. secure configuration privacy by design third party onboarding.
Incident Change Advisory Support:
- Provide risk-informed guidance during incident response root cause control gaps corrective actions.
- Review change requests for security impacts ensure appropriate testing logging and rollback plans.
Preferred Certifications:
o CISSP CISM CRISC CGRC CAP Security CCSK/CCSP/CISA
o Vendor/cloud certs AWS/Azure/GCP security specialty are a plus.
Skills/Knowledge/Experience:
- Bachelors degree in Information SecurityComputer Science Information Systems or related field OR equivalent experience.
- 1-3 years in information security risk management audit or related technical role.
Knowledge:
- Security frameworks and regulations: NIST CSF/80053 CIS Controls ISO 27001 familiarity with CJIS IRS Pub 1075HIPAA FERPA PCI DSS and state policy.
- Core security domains: identity and access management IAM network security endpoint security vulnerability management logging/SIEM encryption/PKI secure DevOps.
- Cloud security concepts shared responsibility CSPM workload protection KMS/CMKs conditional access zero trust.
Skills:
- Technical assessment and control testingability to validate configurations and interpret scan results
- Risk analysis and documentation creating practical risk treatment plans and exceptions with compensating controls.
- Using GRC platforms building workflows control libraries and risk registers.
- Data analysis and dashboarding Excel/Power BI concise report writing and presentation to executives.
Abilities:
- Translate technical findings into business risk terms and prioritized actions.
- Collaborate across IT operations legal procurement and program areas influence without authority.
- Handle multiple assessments and deadlines maintain confidentiality and sound judgment.
- Continuous learning and adapting to new threats technologies and mandates.
Work Conditions Requirements:
- Background check per state policy may require CJIS/IRS Pub 1075 clearance depending on data systems.
- Occasional travel to agency sites or data centers.
- Participation in afterhours change windows or incident support as needed.
- Hybrid/telework eligibility per agency policy.
- Performance Measures
- Ontime completion of risk assessments and control tests.
- Reduction in high/critical findings SLA adherence for remediation.
- Audit outcomes deficiency reduction timely corrective actions.
- Governance deliverables policy refresh cycle control library currency.
- Stakeholder satisfaction and effectiveness of risk communications.
Required Skills/Knowledge/Experience:
- Experience in info security, risk management, audit or related technical role, Required 3 Years
- Knowledge of NIST CSF/800-53, CIS Controls, ISO 27001 and state polices, Required
- Experience conducting technical assessments and control testing; proven ability to validate configs and interpret scan results, Required
- Experience with data analysis and dashboarding (Excel/Power BI), concise report writing, and ability to present to senior leadership, Required
- Experience using GRC platforms; building workflows, control libraries, and risk registers, Required
- Experience with risk analysis and documentation; creating practical risk treatment plans and exceptions with compensating controls, Required
- CISSP, CISM, CRISC, CGRC (CAP), Security+, CCSK/CCSP, or CISA certification, Highly desired
- AWS/Azure cloud certifications are a plus, Highly desired
Proper email communication will only be done to and from @astyra.com email addresses. Please ensure you are communicating with approved Astyra recruiters by checking this point when receiving offers and messages from us. Please ensure you are communicating within these guidelines and proper channels for the quickest possible interview consideration!
#AC