Yesterday
Unspecified
Mid Level Career (5+ yrs experience)
No Traveling
IT - Security
Rockville, MD (On/Off-Site)
CYBER SECURITY RISK ANALYST - MID LEVEL - GRC FOCUS
ROCKVILLE, MD
LONG TERM CONTRACT
The Cyber Security Risk Analyst will support the County’s Governance, Risk, and Compliance (GRC) efforts by performing detailed risk evaluations and compliance assessments. The analyst will work primarily within the County’s ServiceNow GRC platform to review IT security policy exception requests, assess vulnerabilities, and support broader risk governance activities.
· Collaborate with internal departments including IT, legal, compliance, audit, and business operations to identify, assess, and manage cybersecurity risks across the organization.
· Support vulnerability assessments by interpreting technical findings, validating remediation efforts, and ensuring alignment with policy.
· Participate in internal control evaluations to assess effectiveness and identify potential gaps based on relevant frameworks such as NIST 800-53 and ISO 27001.
· Assist with the design, documentation, and implementation of risk treatment plans, ensuring appropriate mitigation strategies are in place and tracked through resolution.
· Contribute to audit preparation activities, respond to information requests, and support remediation of audit findings as needed.
· Use ServiceNow GRC functionality to support workflow management, risk tracking, and reporting.
· Recommend improvements to exception request workflows, dashboards, and system configurations where appropriate.
· Review and assess policy exception requests submitted via the County’s ServiceNow GRC platform.
· Confirm the completeness, consistency, and accuracy of the information provided in the exception request form.
· Conduct detailed risk assessments for each exception request, identifying relevant threats, vulnerabilities, likelihood of exploitation, and potential impacts.
· Analyze the effect of granting exceptions on system security, regulatory compliance, and business continuity.
· Develop formal approval or denial recommendations based on the risk assessment and alignment with County policy and risk tolerance.
· Document all risk analysis, decisions, and recommendations in the ServiceNow GRC platform in accordance with County policy and audit standards.
· Present findings and recommendations to the CISO and designated approvers.
· Use ServiceNow GRC functionality to support workflow management, risk tracking, and reporting.
· Recommend improvements to exception request workflows, dashboards, and system configurations where appropriate.
1. Demonstrated hands-on experience with Governance, Risk, Compliance tools such as ServiceNow, Riskonnect, LogicManager, RSA Archer.
2. Strong understanding and application of cybersecurity risk management principles and control frameworks, including NIST SP 800-53, NIST RMF 800-37, ISO 27001, HIPAA Security Rule, PCI and FedRAMP.
3. Demonstrated ability to conduct structured risk assessments, to include the analysis of compensating controls, residual risk determination, application of quantitative risk models, and providing formal recommendation regarding the acceptance or denial of exception requests.
4. Demonstrated experience with the policy exception request process to include the intake/review of new exception requests to ensure completeness, accuracy, and consistency of the information provided, follow up with requestors to obtain missing or unclear information, performance of risk assessments, approval/denial recommendations and stakeholder communications regarding risk acceptance
5. Strong technical foundation with the ability to interpret network diagrams, threat models, vulnerability scan results, and compliance assessment reports.
6. Familiarity with risk qualification methodologies such as NIST, ISO 27005, Factor Analysis of Information Risk (FAIR).
7. Demonstrated ability to evaluate third-party System and Organization Controls (SOC) reports specifically SOC 1 Type II and SOC 2 Type II—for completeness, relevance, and control alignment.
8. Proven ability to contribute to third-party risk assessments, compliance audits, and the evaluation of internal security controls.
9. Proven track record in performing the duties of an Information Security Risk Analyst, including structured risk assessments and policy exception reviews.
10. Track record of supporting policy exception management processes and risk tolerance assessments in complex regulatory environments.
IDEAL CANDIDATE:
The ideal candidate is a mid-level cybersecurity professional with a solid track record in risk analysis, policy exception review, and control evaluation within a regulated environment. They possess hands-on experience with Governance, Risk, and Compliance (GRC) platforms—preferably ServiceNow—and are adept at navigating complex workflows related to policy deviations, risk acceptances, and control exceptions.
This individual demonstrates a deep understanding of risk management frameworks such as NIST 800-53, NIST RMF 800-37, HIPAA, and ISO 27001, and can apply this knowledge to evaluate threats, assess vulnerabilities, and recommend appropriate mitigation strategies. The candidate brings a technical foundation that enables them to confidently interpret network diagrams, vulnerability scan results, and audit artifacts such as SOC 1/SOC 2 reports.
They are detail-oriented, analytical, and capable of conducting structured risk assessments that support business operations while maintaining compliance with County security policies. The candidate excels at clearly communicating risk implications and recommendations to both technical teams and executive stakeholders. Experience working in hybrid government environments, supporting third-party risk assessments, and contributing to audit readiness activities is highly desirable.
Above all, the candidate demonstrates professional maturity, sound judgment, and a collaborative approach to advancing the County’s risk-informed decision-making and cybersecurity governance objectives.
System One, and its subsidiaries including Joulé, ALTA IT Services, and Mountain Ltd., are leaders in delivering outsourced services and workforce solutions across North America. We help clients get work done more efficiently and economically, without compromising quality. System One not only serves as a valued partner for our clients, but we offer eligible employees health and welfare benefits coverage options including medical, dental, vision, spending accounts, life insurance, voluntary plans, as well as participation in a 401(k) plan.
System One is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex (including pregnancy, childbirth, or related medical conditions), sexual orientation, gender identity, age, national origin, disability, family care or medical leave status, genetic information, veteran status, marital status, or any other characteristic protected by applicable federal, state, or local law.
ROCKVILLE, MD
LONG TERM CONTRACT
The Cyber Security Risk Analyst will support the County’s Governance, Risk, and Compliance (GRC) efforts by performing detailed risk evaluations and compliance assessments. The analyst will work primarily within the County’s ServiceNow GRC platform to review IT security policy exception requests, assess vulnerabilities, and support broader risk governance activities.
· Collaborate with internal departments including IT, legal, compliance, audit, and business operations to identify, assess, and manage cybersecurity risks across the organization.
· Support vulnerability assessments by interpreting technical findings, validating remediation efforts, and ensuring alignment with policy.
· Participate in internal control evaluations to assess effectiveness and identify potential gaps based on relevant frameworks such as NIST 800-53 and ISO 27001.
· Assist with the design, documentation, and implementation of risk treatment plans, ensuring appropriate mitigation strategies are in place and tracked through resolution.
· Contribute to audit preparation activities, respond to information requests, and support remediation of audit findings as needed.
· Use ServiceNow GRC functionality to support workflow management, risk tracking, and reporting.
· Recommend improvements to exception request workflows, dashboards, and system configurations where appropriate.
· Review and assess policy exception requests submitted via the County’s ServiceNow GRC platform.
· Confirm the completeness, consistency, and accuracy of the information provided in the exception request form.
· Conduct detailed risk assessments for each exception request, identifying relevant threats, vulnerabilities, likelihood of exploitation, and potential impacts.
· Analyze the effect of granting exceptions on system security, regulatory compliance, and business continuity.
· Develop formal approval or denial recommendations based on the risk assessment and alignment with County policy and risk tolerance.
· Document all risk analysis, decisions, and recommendations in the ServiceNow GRC platform in accordance with County policy and audit standards.
· Present findings and recommendations to the CISO and designated approvers.
· Use ServiceNow GRC functionality to support workflow management, risk tracking, and reporting.
· Recommend improvements to exception request workflows, dashboards, and system configurations where appropriate.
1. Demonstrated hands-on experience with Governance, Risk, Compliance tools such as ServiceNow, Riskonnect, LogicManager, RSA Archer.
2. Strong understanding and application of cybersecurity risk management principles and control frameworks, including NIST SP 800-53, NIST RMF 800-37, ISO 27001, HIPAA Security Rule, PCI and FedRAMP.
3. Demonstrated ability to conduct structured risk assessments, to include the analysis of compensating controls, residual risk determination, application of quantitative risk models, and providing formal recommendation regarding the acceptance or denial of exception requests.
4. Demonstrated experience with the policy exception request process to include the intake/review of new exception requests to ensure completeness, accuracy, and consistency of the information provided, follow up with requestors to obtain missing or unclear information, performance of risk assessments, approval/denial recommendations and stakeholder communications regarding risk acceptance
5. Strong technical foundation with the ability to interpret network diagrams, threat models, vulnerability scan results, and compliance assessment reports.
6. Familiarity with risk qualification methodologies such as NIST, ISO 27005, Factor Analysis of Information Risk (FAIR).
7. Demonstrated ability to evaluate third-party System and Organization Controls (SOC) reports specifically SOC 1 Type II and SOC 2 Type II—for completeness, relevance, and control alignment.
8. Proven ability to contribute to third-party risk assessments, compliance audits, and the evaluation of internal security controls.
9. Proven track record in performing the duties of an Information Security Risk Analyst, including structured risk assessments and policy exception reviews.
10. Track record of supporting policy exception management processes and risk tolerance assessments in complex regulatory environments.
IDEAL CANDIDATE:
The ideal candidate is a mid-level cybersecurity professional with a solid track record in risk analysis, policy exception review, and control evaluation within a regulated environment. They possess hands-on experience with Governance, Risk, and Compliance (GRC) platforms—preferably ServiceNow—and are adept at navigating complex workflows related to policy deviations, risk acceptances, and control exceptions.
This individual demonstrates a deep understanding of risk management frameworks such as NIST 800-53, NIST RMF 800-37, HIPAA, and ISO 27001, and can apply this knowledge to evaluate threats, assess vulnerabilities, and recommend appropriate mitigation strategies. The candidate brings a technical foundation that enables them to confidently interpret network diagrams, vulnerability scan results, and audit artifacts such as SOC 1/SOC 2 reports.
They are detail-oriented, analytical, and capable of conducting structured risk assessments that support business operations while maintaining compliance with County security policies. The candidate excels at clearly communicating risk implications and recommendations to both technical teams and executive stakeholders. Experience working in hybrid government environments, supporting third-party risk assessments, and contributing to audit readiness activities is highly desirable.
Above all, the candidate demonstrates professional maturity, sound judgment, and a collaborative approach to advancing the County’s risk-informed decision-making and cybersecurity governance objectives.
System One, and its subsidiaries including Joulé, ALTA IT Services, and Mountain Ltd., are leaders in delivering outsourced services and workforce solutions across North America. We help clients get work done more efficiently and economically, without compromising quality. System One not only serves as a valued partner for our clients, but we offer eligible employees health and welfare benefits coverage options including medical, dental, vision, spending accounts, life insurance, voluntary plans, as well as participation in a 401(k) plan.
System One is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex (including pregnancy, childbirth, or related medical conditions), sexual orientation, gender identity, age, national origin, disability, family care or medical leave status, genetic information, veteran status, marital status, or any other characteristic protected by applicable federal, state, or local law.
group id: COMPHLP
