Full-Time Senior Security Risk Analyst

Job Title: Sr. Risk Analyst

Location: Remote

Position Description: Reporting to the BISO, the Senior Information Security Risk Analyst will lead specific information security risk management activities protecting clients and complying with regulations/policies. The Senior Information Security Risk Analyst provides expertise and leadership to improve security policies and risk management processes, establishing a framework of controls for risk management, regulatory compliance, and governance of IT. Responsibilities include identifying, treating risks timely, and reporting exposure to known threats. The role includes policy implementation/maintenance, training/awareness, and vendor risk management.

Position Accountabilities

1. Lead audit prep and response across InfoSec and IT.
2. Support Controls, Policy, Standards, and Procedures maturity program for InfoSec and IT to meet FFIEC, SOX, and threat/risk-based controls program requirements.
3. Perform security risk analysis to identify risk and enhance security posture.
4. Serve as a subject matter expert and advisor for risk-based decisions across business, IT, and stakeholders.
5. Contribute to Information Security reports for relevant committees (e.g., TTRC, CSWG, Operational Risk).
6. Lead tracking and remediation of risks impacting safety, soundness, or reputation.
7. Establish and maintain processes for security-related audits, assessments, and external assessments.
8. Ensure timely responses to evidence requests and compiling management responses/remediation plans.
9. Emphasize privacy, security, business resiliency, and compliance frameworks (e.g., FFIEC, SOX, GLBA, SOC 2, PCI-DSS, ITIL).
10. Evaluate risk and controls through targeted testing of processes.
11. Develop and publish policies, standards, and procedures based on risk appetite, industry best practices, and regulatory requirements.
12. Track and ensure timely updates of policies, standards, and procedures.
13. Collaborate with ERM team to design/maintain risk/controls matrix, mapped to regulations/frameworks, and aligned with risk appetite.
14. Participate in vendor risk assessment process and provide security risk assessment services/contract reviews.
15. Support cyber training, tabletop exercises, red team exercises, penetration testing, and ensure timely remediation of findings.
16. Establish/lead metrics program tracking key risks/KPIs for the cybersecurity program and report regularly to leadership.
17. Lead configuration, integration, and optimization of GRC platforms (e.g., RSA Archer, ServiceNow).

Organizational Relationship: Reports to the Business Information Security Officer (BISO).

Education & Experience: 6-10 years’ experience in information security roles (e.g., security risk analysis, compliance, risk management, process assurance, audit), Bachelor’s degree in related field (or equivalent) required, Master’s degree preferred. Professional security certifications (e.g., CISSP, CISM, CISA, CRISC) required.

Knowledge & Skills: Proven experience with GRC platforms, RSA Archer configuration, risk data integration, automation, dashboards; experience in risk treatment, controls selection, and control process design; knowledge of IT infrastructure, cloud (SaaS, IaaS), and application security; experience with policies, standards, industry practices in regulated environments (financial services); experience working with internal audit and regulators; experience with frameworks like FFIEC, SOX, ISO 27001/2, CIS CSC, NIST 800-53; experience using FFIEC CAT Tool; strong project management, communication, collaboration, and organizational skills.

What is the last date for applying to the job?

Which countries are accepted for this remote job?