Information Security Analyst

This position supports the organization’s information security program by performing a broad range of responsibilities across governance, compliance, and operations. The analyst is primarily responsible for responding to third-party security assessments, supporting internal and external audits, and maintaining documentation aligned with regulatory and framework requirements (e.g., NIST, SOC 2, HIPAA).  In addition, the role manages the organization’s vulnerability management program—overseeing scanning, monitoring, and coordinating remediation efforts with technical teams.  As part of a small and agile team, the analyst is expected to wear many hats, contributing to incident response, risk assessments, infrastructure and cloud security initiatives, and other security-related tasks as needed.

Essential Function 

Governance, Risk & Compliance

·         Respond to third-party security assessments, audits, and RFPs.

·         Support internal and external audit activities, including evidence collection and control validation.

·         Maintain and improve security policies, standards, and procedures aligned with frameworks (e.g., NIST, SOC 2, HIPAA, HITRUST).

·         Conduct internal risk assessments and track remediation efforts.

·         Assist in the development and operation of a continuous monitoring program.

·         Support exception handling, risk acceptance, and mitigation planning.

Vulnerability Management

·         Manage the vulnerability scanning and monitoring process across infrastructure and cloud environments.

·         Prioritize vulnerabilities based on risk and coordinate remediation with technical teams.

·         Track and report on remediation progress and effectiveness.

·         Maintain awareness of emerging threats and vulnerabilities.

Security Operations & Support

·         Monitor alerts, logs, and dashboards for indicators of compromise or policy violations.

·         Triage and escalate security events as needed.

·         Participate in change/problem management and incident response activities.

Documentation & Reporting

·         Generate reports on security posture, audit findings, and vulnerability trends.

·         Maintain accurate documentation of processes, controls, and remediation efforts.

·         Contribute to security awareness and training initiatives.

Other duties as assigned.

Requirements 

·         Bachelor’s degree in Computer Science, Information Security, or related field—or equivalent experience.

·         Minimum five years of experience in information security, with demonstrated experience with GRC and/or vulnerability management.

·         Familiarity with security frameworks such as NIST SP 800-171, SOC 2, HIPAA, and HITRUST.

·         Experience with vulnerability scanning tools (e.g. Rapid7).

·         Strong understanding of IT infrastructure (networks, systems, databases) and cloud platforms (AWS, Azure, or GCP).

·         Excellent written and verbal communication skills, especially for non-technical audiences.

·         Must have flexibility in work schedule in order to provide off-hours support.

·         Proficiency with MS Office applications, such as, Excel, PowerPoint, Word, Visio, Access, and Project.

·         Desirable: Ability to write scripts or programs, or effectively collaborate with AI tools to generate or refine code for automation, analysis, or security tasks.

·         Ability to work well with others.

Must be detail oriented.

Special Qualifications (Licenses, certifications, etc.)

·         Must hold and maintain a CISSP certification—prompt attainment after employment is acceptable.

Other relevant Information Security certifications are desirable.

Information Security Responsibilities:

Role Specific

·         Hold and maintain a CISSP certification.

·         Perform a minimum of 40 hours annual security training as planned with your supervisor.

·         Abide by all security policies and processes defined by the organization.

·         Abide by all applicable laws and regulations.

·         Upon hire and annually, acceptance of:

o    Acceptable Use Agreement,

o    Certilytics Statement of Confidentiality,

o    Certilytics Confidentiality and Invention Assignment Agreement,

o    These information security requirements.

·         Upon hire and annually, successful completion of training in:

o    Security Awareness and Privacy,

o    Code of Business Ethics,

o    Conflict of Interest,

o    Developer Security,

o    Incident Response, and

o    Other training as directed by your manager.

·         Serve as a technical responder of the Security Incident Response Team, and the Disaster Recovery Team

General

·         Report any security incidents, breaches, violations, or non-compliance with security policy when identified or witnessed.

·         Report any identified security risks or vulnerabilities.

·         Cooperate with Company, local, state, or federal investigators in the event of a security incident and/or breach.

·         Report any complaints concerning the information security policies and procedures or the organization's compliance with the policies and procedures program by submitting a Footprint ticket or reporting to the Information Security team.

Report any ideas for improvement of the organizational security program by submitting a Footprint ticket or by directly suggesting to the CISO.