Security Risk Analyst
About the role
The Information Security Governance Risk and Compliance (ISGRC) team at the College Board works closely with other teams across the organization to assess and certify the security of College Board’s information systems and processes. This dedicated team facilitates information security governance and compliance by assessing College Board’s vendors, reviewing and negotiating contractual commitments to information security, planning for disaster response and recovery, testing system strength using industry-recognized frameworks (ISO 27001, PCI-DSS and SOC2) and obtaining related compliance certifications, implementing information security policies, promoting security awareness and training, and testing the acumen of College Board employees through robust and innovative training and phishing campaigns.
Responsibilities
- Manage the Risk Register (20%): Leads the management of the issues and risks and quickly escalates any untimely completion of audit actions. Works independently to communicate risks and works with others to problem-solve risks to tolerance levels based on data and evidence. Maintains data quality of Risk Register and executes any required data clean-up exercises. Understands College Board work to be able to drive Risk or Control Owners to ensure consistent application of policies and standards. Raises awareness about Risk & Control Issues, Policy exceptions, and available risk reduction options. Fosters a culture of risk awareness and compliance within the technology department and across the organization.
- Manage Policy Exceptions (65%): Independently analyzes policy exception submissions and provides risk assessment reports for critical service lines, applications, and infrastructure hosted on-prem and in the cloud. Evaluates and manage exceptions to IT security policies. Manages materials for the Exception Review Board and presents exception information to executive leadership and senior team members. Maintains an up-to-date knowledge and understanding of IT security policies and principles.
- Support Vendor Risk Management (10%): Support the Vendor Risk Management program by understanding policies and procedures. Perform New Vendor Risk Assessments and Reassessments. Serve as backup to the Sr. Risk Analyst.
- Provide Metrics and Reporting (5%): Provides weekly and monthly reporting for the Risk Register and policy exceptions. Produces trending metrics and escalate exceptions.
Requirements
- 5-7 years of experience managing or supporting IT Security Risk and Control Risk Register and processing policy exceptions.
- Strong understanding of risk management techniques such as risk identification, risk scoring, risk mitigation, and risk tracking.
- Proven ability to lead conversations balancing risk and multiple business needs that result in positive outcomes with multiple stakeholders.
- The capacity to assess risk information and make risk recommendations independently.
- Strong organization and prioritization skills and the proven ability to manage multiple tasks simultaneously, both independently and as a member of the team.
- Excellent verbal and written communication skills.
- Experience with governance, risk, and compliance tools (e.g., OneTrust) preferred.
- Experience with information security and privacy frameworks such as ISO 27001, COBIT, NIST-CSF, NIST 800-53, GDPR etc.
- Current Information Security Certification (e.g., CISSP, CRISC, CISM, CISA, or related security certification) preferred or the ability to attain one within 6 months of hire.
- Bachelor’s degree in computer science, cybersecurity, engineering, IT management or four years equivalent IT and security industry experience.
Qualifications
- Bachelor’s degree required.
- The ability to travel 2-4 times a year to College Board offices or on behalf of College Board business.
Skills
- Strong understanding of risk management techniques such as risk identification, risk scoring, risk mitigation, and risk tracking.
- Proven ability to lead conversations balancing risk and multiple business needs that result in positive outcomes with multiple stakeholders.
- The capacity to assess risk information and make risk recommendations independently.
- Strong organization and prioritization skills and the proven ability to manage multiple tasks simultaneously, both independently and as a member of the team.
- Excellent verbal and written communication skills.
- Experience with governance, risk, and compliance tools (e.g., OneTrust) preferred.
- Experience with information security and privacy frameworks such as ISO 27001, COBIT, NIST-CSF, NIST 800-53, GDPR etc.
- Current Information Security Certification (e.g., CISSP, CRISC, CISM, CISA, or related security certification) preferred or the ability to attain one within 6 months of hire.
- Bachelor’s degree in computer science, cybersecurity, engineering, IT management or four years equivalent IT and security industry experience.
Benefits
At College Board, we offer more than a paycheck- we provide a meaningful career, a supportive team, and a comprehensive package designed to help you thrive. We’re a self-sustaining nonprofit that believes in fair and competitive compensation grounded in your qualifications, experience, impact, and the market. A Thoughtful Approach To Compensation The hiring range for this role is $72,000–$120,000. Your exact salary will depend on your location, experience, and how your background compares to others in similar roles at the College Board. We aim to make our best offer upfront, rooted in fairness, transparency, and market data. We adjust salaries by location to ensure fairness, no matter where you live.
Pay
The hiring range for this role is $72,000–$120,000. Your exact salary will depend on your location, experience, and how your background compares to others in similar roles at the College Board. We aim to make our best offer upfront, rooted in fairness, transparency, and market data. We adjust salaries by location to ensure fairness, no matter where you live.
Schedule
This is a remote role. Candidates who live near CB offices have the option of being fully remote or hybrid (Tuesday and Wednesday in office). All CB employees are required to occasionally travel to meet in person for business purposes.