IT Risk Analyst, Intermediate

** Department
* * OPS ITS - Governance and Risk
** About the Department
** ITS collaborates with campus partners to support the mission of the University of Chicago through the consistent delivery of high-quality solutions and services. We provide secure, stable, and reliable infrastructure and applications to support the mission of the University. We support and enable faculty research and teaching with the effective use of technology.

We simplify the technology experience for faculty, students, alumni, and staff, and we ensure technology is mobile-friendly and accessible. We identify, manage, and mitigate the technology risks of the University.
** Job Summary
** Under the general direction of the Director of Information Assurance, this position is responsible for providing consultation and assessments of risks and vulnerabilities; developing and tracking progress of risk remediation plans; implementing security standards, policies, and controls; and representing the Information Assurance program in campus forums.
** Responsibilities
* ** Conducts risk assessments of business and IT environments to identify and address impacts to university objectives.
* Leads strategic security framework evaluations and recommends improvements to overall security posture.
* Performs NIST 800-171 and CMMC Level 1 assessments for regulatory compliance and data protection.
* Conducts NIST 800-53 Physical and Environmental Controls assessment to safeguard critical infrastructure.
* Researches and recommends complex risk scenarios based on organizational structures, policies, standards, technology, and controls to determine the likelihood and impact of identified risks. Evaluates control gaps against university policies, standards, and architecture, quantifies risk likelihood and business impact, and provides detailed, data-driven mitigation strategies to inform and guide executive leadership decision-making.
* Designs and develops comprehensive remediation plans for uncovered risks. Maintains and enhances systems, develops specialized tools, and configures products for efficient tracking and management of the university’s information security program portfolio. Restructures and formalizes the Risk Acceptance Letter process by establishing clear documentation, assigning owners, tracking remediation, and prioritizing efforts according to compliance and operational significance.
* Provides expert guidance and oversight on security requirements and controls for major university projects, ensuring that appropriate security controls are implemented, tracked, and validated. Reviews active projects, such as Phoenix AI, Globus CMMC and 800-171 assessments, and SFA CSF 2.0, delivering strategic security guidance, monitoring control implementation, and verifying effectiveness to mitigate potential security gaps.
* Conducts comprehensive assessments of IT environments to ensure adherence to established configuration and management guidelines. Performs in-depth evaluations as part of SFA CSF 2.0, NIST 800-171, CMMC Level 1, and NIST 800-53 assessments, identifying gaps or inconsistencies and recommending corrective actions to maintain a robust security and compliance posture.
* Strategically consults with stakeholders across the University to design and refine security processes, guidelines, and achieve security or compliance goals for projects, implementations, and RFPs. Provides targeted security guidance, supports process and control implementation aligned with SFA CSF 2.0, NIST 800-53, NIST 800-171, and CMMC frameworks, and ensures compliance with University standards.
* Critically reviews vendor contracts, project plans, and governing frameworks to identify security or compliance gaps, offering actionable recommendations for amendments or adjustments to align with University policies and regulatory requirements, and minimize risk exposure.
* Investigates and researches emerging security issues, contributing to IT Security communications and awareness initiatives. Documents internal processes and authors security standards and guidelines utilizing SFA CSF 2.0, NIST, and CMMC frameworks. Develops and disseminates University-wide security awareness materials, leads key events such as the Cybersecurity Symposium and lunch and learn sessions, and produces monthly training metric reports for leadership.
* Recommends and implements process and system enhancements to strengthen data systems security, identifying governance, process, and technical control gaps, and supporting improvements to elevate security posture, system integrity, and data protection.
* Communicates proactively with user communities to understand their security needs, supports the implementation of tailored procedures, and ensures alignment with required security protocols. Provides comprehensive guidance facilitating user education and compliance to reduce risk exposure.
* Provides subject-matter expertise and mentorship, including guiding interns on projects such as Bit Sight and…