Information Security & Governance Analyst

Summary Of Basic Function

The Information Security & Governance Analyst supports the organization’s information security and risk management program through hands‑on execution of risk, governance, and compliance activities. This role contributes to protecting information assets by performing risk assessments, supporting audits, maintaining security governance processes, and collaborating with technology and business stakeholders. The Analyst works under the guidance of senior team members and leadership to help mature Brentwood Bank’s information security and governance practices in alignment with industry frameworks such as CIS and NIST.

This position is a hybrid role requiring three days in office.

• Support the Information Security & Governance team in executing elements of the enterprise information security program.
• Assist in preparing risk assessments, metrics, and reporting for leadership and committee review.
• Participate in governance, risk, audit, and security‑related meetings as a contributor.

• Assist with business continuity, disaster recovery, and incident response activities, including documentation reviews and tabletop exercise coordination.
• Support post‑exercise reviews by documenting observations and tracking follow‑up actions.

• Assist with risk assessments for systems, processes, vendors, and business functions using established methodologies.
• Support internal and external audits through evidence collection, documentation, and coordination with stakeholders.
• Assist with control self‑assessments and remediation tracking in collaboration with control owners.

• Perform user access reviews for assigned systems, ensuring completeness, accuracy, and timely completion.
• Maintain access review documentation, metrics, and evidence in accordance with established procedures.

• Assist the Security Risk Register process by documenting identified risks, updating risk details, and tracking remediation activities.
• Ensure risks from audits, assessments, and incidents are accurately captured and updated.
• Assist with preparing periodic risk reporting for leadership and committees.

• Support the Third‑Party Risk Management (TPRM) program by conducting vendor risk assessments and SOC reviews for new and existing vendors.
• Track vendor risk issues and remediation activities.

• Assist with reviewing vulnerability and penetration test reports.
• Track remediation status and validate closure evidence in coordination with IT teams.
• Support cloud security and application risk tracking activities as assigned.

• Assist with updating information security policies, standards, and procedures.
• Support mapping controls to industry frameworks and regulatory requirements.
• Identify control gaps or improvement opportunities and elevate to senior team members.

• Collaborate with IT, business units, and vendors to support security and risk initiatives.
• Participate in security awareness, training, and knowledge‑sharing activities.

Perform other duties as assigned.

• Bachelor’s degree from an accredited college or university in Information Systems, Cybersecurity, Computer Science, Business, or a closely related field, or equivalent experience.
• 1–3 years of experience in information security, risk management, audit, compliance, or a related field.
• Experience in a regulated industry such as financial services or banking is preferred.

• CISA – Certified Information Systems Auditor
• CRISC – Certified in Risk and Information Systems Control

• Foundational understanding of information security, risk management, and governance concepts.
• Familiarity with security frameworks such as CIS or NIST.
• Ability to analyze information and document risks and controls clearly.
• Strong organizational and documentation skills.
• Experience or exposure to GRC platforms (e.g.,…