Jobs · Finance · New Hampshire

Business Risk Operations Senior Analyst

Lighthouse Credit Union · Dover, NH · 1 mo ago
FinanceFull-time

User Access Review (UAR) Governance

  • Administers end-to-end User Access Reviews (UARs) as independent governance control, including scheduling, evidence collection, reconciliation, validation, and documentation.
  • Validates user and privileged access against approved roles, entitlements, and least-privilege standards, including review of access provisioned through Microsoft Entra security groups.
  • Identifies and documents access exceptions related to provisioning, transfers, terminations, and excessive access; tracks remediation through resolution and maintains audit-ready evidence.
  • Ensures UAR artifacts meet regulatory, audit, and internal retention requirements.

GRC Control Administration & Independent Validation

  • Maintains control documentation, evidence repositories, and GRC system records to support audits, examinations, and management oversight.
  • Performs procedural control validation and limited control testing to confirm execution and evidence sufficiency; does not design controls or perform technical configurations.
  • Identifies control execution gaps, documentation deficiencies, and missed timelines; challenges first-line control execution and escalates issues with clear corrective action recommendations.

Vendor Due Diligence & Third-Party Risk Management

  • Supports vendor due diligence and Third-Party Risk Management (TPRM) activities, partnering with internal stakeholders to ensure adherence to program requirements and timelines.
  • Coordinates vendor onboarding and ongoing due diligence in accordance with internal policy and established standards.
  • Performs risk-focused reviews of third-party relationships to support risk tiering and oversight, including the collection and validation of required documentation.
  • Reviews due diligence artifacts (e.g., SOC reports, certifications, regulatory attestations) for completeness and follow-up requirements; tracks remediation items through resolution.
  • Pairs with vendor owners to obtain updated information and address documentation gaps impacting onboarding, renewals, or compliance deadlines.
  • Identifies, documents, and tracks Complementary User Entity Controls (CUECs); monitors implementation status, evidence retention, and remediation progress.

Job Specifications

  • Demonstrated working knowledge of User Access Review (UAR) governance, including least privilege principles, role-based access controls, and independent validation of user and privileged access.
  • Experience reviewing and validating access-related evidence, including user listings and security group assignments from identity platforms (e.g., Microsoft Entra), to identify exceptions and required follow-up actions.
  • Proven ability to administer, validate, and document the execution of GRC control activities with limited supervision, applying sound judgment to identify gaps, inconsistencies, and control execution issues.
  • Experience working within GRC and vendor management systems to track activities, maintain evidence, and support audit, compliance, and management oversight processes.
  • Strong experience conducting risk-focused contract and NDA reviews, ensuring inclusion of required security, regulatory, and risk provisions prior to execution.
  • Working knowledge of business continuity program support, including documentation maintenance, testing coordination, and remediation tracking.
  • Experience supporting vendor due diligence and third-party risk management (TPRM) processes, including review of SOC reports, certifications, and attestations for completeness and follow-up actions.
  • General familiarity with financial institution regulatory expectations and frameworks (e.g., GLBA, FFIEC, NCUA guidance).
  • Experience supporting internal audits, regulatory examinations, or control reviews preferred.

Similar jobs