Risk and Security Analyst

We have an exciting opportunity for a Risk and Security Analyst with our industry-leading client in Cambridge, MA.

• Provide professional and technical information assurance and security expertise to support the design, implementation and operation of enterprise governance, risk and compliance (GRC).
• Write Policies and related supporting documentation, such as standards and procedures
• Help develop processes to support GRC business needs using tools to automate these processes.
• Contribute to the enhancement/refinement of the Information Security Risks & Controls library
• Assist with the development and implementation of controls in alignment with NIST standards: Assist in implementation of Common Controls in the GRC tool and subsequent ongoing authorization and continuous monitoring
• Assist IT System Owners and Control Owners in attestation and assurance processes
• Plan and perform user acceptance testing (UAT) of GRC tool enhancements identifying issues and providing recommendations for resolution, communicating system changes to end users
• Perform information security risk and control assessments and report on information security risks and recommend mitigation strategies; document and monitor information security remediation and control improvements
• Support the continuous improvement of Information Security Policies, Standards, Processes, and Procedures

• A minimum of 5-7 years' experience in information security and/or risk management, especially in an information risk analysis, Enterprise Risk Management (ERM), and/or IT Audit role.
• Knowledge of quantitative and qualitative risk evaluation methods, including information security control frameworks such as NIST, ISO, and COBIT.
• Proven experience with control monitoring principles and practices.
• Ability to understand and engage applicable industry-related regulatory requirements (e.g., FDA, FIPS, EU Annex 11, GDPR)
• Direct experience in cybersecurity risk analysis and related security products/systems (ServiceNow GRC strongly preferred)
• Demonstrable knowledge of information security standards, data security practices and procedures, network security, application security, and database security
• Understanding the impact of various data protection and integrity controls, operating systems and network security controls, authentication controls, and security protocols
• Ability to work on several tasks simultaneously and pay attention to sources of information from inside and outside to make appropriate assessments and decisions.
• Excellent analytical and problem-solving skills
• Excellent prioritization capabilities, with an aptitude for breaking down work into manageable parts, effectively assessing the priority and time required to complete each part.
• Strong communication skills and ability to convey complex concepts in simplified terms.
• Flexible and able to adapt quickly to changing technology
• Open and able to apply original and innovative thinking to produce new ideas and create innovative approaches to information security oversight and compliance.
• Experience with development and implementation of information security awareness and education programs.
• Strong knowledge of Microsoft Office product suite, and corporate business applications including Skype and SharePoint
• Comfortable working independently and collaboratively to achieve business outcomes
• Biotech and IT experience preferred