Information Security Risk Assessor

Ashburn Consulting LLC, is looking for an Information Security Risk Assessor to join us in providing support to Montgomery County Government Office of Technology and Enterprise Business Solutions (TEBS).The objective of this task order is to obtain the services of a qualified Information Security Risk Analyst to support the County’s Governance, Risk, and Compliance (GRC) program. The Analyst will be responsible for identifying, assessing, and documenting risks associated with information systems, technologies, vendors, and operational processes, with a focus on promoting risk-informed decision-making and ensuring alignment with the County’s security policies and regulatory requirements. Key responsibilities include:Conducting structured risk assessments, reviewing internal controls, evaluating third-party security attestations, and supporting vulnerability and compliance activities.The Analyst will also process policy exception requests submitted through the County’s ServiceNow GRC module by validating submitted information, conducting risk evaluations, and preparing formal recommendations for approval or denial.The role requires close collaboration with cross-functional teams to enhance the County’s overall risk posture and ensure adherence to internal policies and external compliance mandates. Scope of Work:The Cyber Security Risk Analyst will support the County’s Governance, Risk, and Compliance (GRC) efforts by performing detailed risk evaluations and compliance assessments. The analyst will work primarily within the County’s ServiceNow GRC platform to review IT security policy exception requests, assess vulnerabilities, and support broader risk governance activities. Responsibilities include, but are not limited to, the following: Cross-Functional Risk Support ResponsibilitiesCollaborate with internal departments including IT, legal, compliance, audit, and business operations to identify, assess, and manage cybersecurity risks across the organization.Support vulnerability assessments by interpreting technical findings, validating remediation efforts, and ensuring alignment with policy.Participate in internal control evaluations to assess effectiveness and identify potential gaps based on relevant frameworks such as NIST 800-53 and ISO 27001.Assist with the design, documentation, and implementation of risk treatment plans, ensuring appropriate mitigation strategies are in place and tracked through resolution.Contribute to audit preparation activities, respond to information requests, and support remediation of audit findings as needed.Use ServiceNow GRC functionality to support workflow management, risk tracking, and reporting.Recommend improvements to exception request workflows, dashboards, and system configurations where appropriate. Policy Exception Review ProcessReview and assess policy exception requests submitted via the County’s ServiceNow GRC platform.Confirm the completeness, consistency, and accuracy of the information provided in the exception request form.Conduct detailed risk assessments for each exception request, identifying relevant threats, vulnerabilities, likelihood of exploitation, and potential impacts.Analyze the effect of granting exceptions on system security, regulatory compliance, and business continuity.Develop formal approval or denial recommendations based on the risk assessment and alignment with County policy and risk tolerance.Document all risk analysis, decisions, and recommendations in the ServiceNow GRC platform in accordance with County policy and audit standards.Present findings and recommendations to the CISO and designated approvers.Use ServiceNow GRC functionality to support workflow management, risk tracking, and reporting.Recommend improvements to exception request workflows, dashboards, and system configurations where appropriate.