Information Security GRC Analyst
Listed on 2026-07-10
-
IT/Tech
Cybersecurity, Information Security, Data Security, IT Consultant
Job Description Overview
We don't simply hire employees. We invest in them. When you work at Chatham, we empower you - offering professional development opportunities to help you grow in your career, no matter if you've been here for five months or 15 years. Chatham has worked hard to create a distinct work environment that values people, teamwork, integrity, and client service. You will have immediate opportunities to partner with talented subject matter experts, work on complex projects, and contribute to the value Chatham delivers every day.
Inthis role you will
The Information Security GRC Analyst with a Risk and Policy focus is responsible for assisting in the execution of the organization's security risk management program and supporting policy governance. This role takes the lead in conducting the security risk assessments for Chatham systems, vendors and business processes. This role is responsible for maintaining the technology and cybersecurity risks on the operational risk register;
tracking issues and risk mitigation activities; and supports policy development. This role is also responsible for translating technical risks into business-relevant recommendations, recommending risk-based decisions, documenting decisions on risk treatment, tracking risk mitigation action plans to completion and reviewing systems/processes for policy compliance.
- Risk Assessment Execution: Conduct technology and security risk assessments for internal systems, product and technology projects using established frameworks (NIST SP 800-30, ISO 27005, etc.)
- Technology and Cybersecurity Risk Register Management: Maintain the technology risk register (includes Cybersecurity) documenting threats, vulnerabilities, impacts, likelihood, risk ratings, and treatment decisions; ensure consistent updates with stakeholder input
- Technology and Cybersecurity Risk Mitigation Tracking: Document risk treatment plans with action items, responsible parties, and target dates; track remediation progress; verify risk reduction upon closure
- Technology and Cybersecurity Policy Support: Support policy lifecycle activities including drafting, review, and updates; ensure policies align with industry standards such as NIST, ISO 27001, etc.,
- Cybersecurity and Information Security Risk Metrics Development: Develop and report risk metrics and KRIs; analyze trends in risk posture; identify systemic issues requiring management attention
- Technology and Cybersecurity Risk Reporting/Communication: Translate technical risk findings into business-relevant language; prepare risk summaries for management review and decision-making
- Stakeholder Engagement: Partner with control owners, system owners, product team, technology team and business stakeholders to identify and assess risks throughout the system lifecycle.
Success in this role requires strong collaborative relationships across Chatham. The Information Security GRC Analyst partners closely with the Manager of Information Security GRC, and Information Security leadership to align risk priorities with security strategy. The analyst will interact on a regular basis with technology and information security control owners to ensure controls are properly designed, implemented, and monitored. The analyst engages with Operational Risk to integrate technology and cybersecurity risks into the operational risk framework and reporting.
Finally, collaboration with external auditors during SOC 2 and regulatory examinations validates that risk management practices meet industry standards and client expectations.
- Bachelor's degree, preferably in Information Security, Computer Science, Risk Management, or related experience in the field.
- 3-5+ years of experience in IT audit, IT risk management, executing security assessments, or experience in a related Technology, IT Audit or Data Governance role.
- Experience in supporting/coordinating company SOC 2 Trust Services Criteria audits or conducting SOC 2 audits.
- Experience in conducting technology and security risk assessments using NIST, ISO 27005, or similar methodologies.
- Strong understanding of Cybersecurity risks and mitigation strategies as well as functional experience with threat modeling, vulnerability analysis, and risk quantification and follow through.
- Knowledge of security frameworks: NIST CSF, NIST 800-53, ISO 27001, Center of Internet Security (CIS), SOC 2 Trust Services Criteria, Cloud Control Matrix (CCM).
- Knowledge of third‑party security assessments and/or data protection/impact assessments.
- Excellent analytical and written communication skills.
- Certifications preferred: CRISC, CDPSE, CISA, CISSP, ISO 27001 Lead Auditor/Lead Implementer.
- Other certifications considered: CGEIT, CCSK, CompTIA Security+, CompTIA CySA+, CISSP-Associate, GIA, C/GSEC, PMP/CAPM, AWS Cloud Practitioner, Azure Cloud Practitioner.
* This is a contract position working 40 hours a week.
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).