Contract Information Security GRC Analyst

This role sits within theInformation Security Governance, Risk and Compliance (GRC) team, which reports directly into the CISO organization. The GRC team serves as the central function responsible for managing the enterprise's security risk posture, ensuring regulatory compliance, andmaintainingthe policy and control framework that governs information security across Chatham. This team works cross-functionally, partnering closely withProduct and Technology teamsto embed security into development and infrastructure initiatives,Human Resourcesfor security awareness and personnel security matters,Operationsfor business process alignment, and allChatham business unitsto ensure security requirements support businessobjectives. The team alsomaintainscritical relationships withOperational Riskto align cybersecurity risk management with enterprise riskframeworks andserves as the primary liaison toexternal auditorsfor SOC 2, regulatory examinations, and other assurance activities.

In this role you will:

The Information Security GRC Analyst with a Risk and Policy focusis responsible forassistingin the execution ofthe organization's security risk management program and supporting policy governance. This roletakes the lead in conductingthesecurityrisk assessments forChatham systems,vendorsand business processes. This roleis responsible formaintainingthetechnology and cybersecurity risks on the operationalrisk register; tracking issues andrisk mitigation activities; andsupportspolicy development.This role is also responsible for translatingtechnical risks into business-relevant recommendations,recommendingrisk-based decisions,documenting decisions onrisk treatment, tracking risk mitigationaction plans to completionandreviewing systems/processes forpolicy compliance.

• Risk Assessment Execution:Conducttechnologyandsecurity risk assessments for internal systems, product and technologyprojects using established frameworks (NIST SP 800-30, ISO 27005, etc.)

• Technology and CybersecurityRisk Register Management:Maintainthe technologyrisk register(includes Cybersecurity)documenting threats, vulnerabilities, impacts, likelihood, risk ratings, and treatment decisions; ensure consistent updates with stakeholder input

• Technology and CybersecurityRisk Mitigation Tracking:Document risk treatment plans with action items, responsible parties, and target dates; track remediation progress; verify risk reduction upon closure

• Technologyand CybersecurityPolicy Support:Support policy lifecycle activities including drafting, review, and updates; ensure policies alignment based on industry standards such as NIST, ISO 27001, etc.,

• Cybersecurity and Information SecurityRisk MetricsDevelopment:Develop and report risk metrics and KRIs; analyze trends in risk posture;identifysystemic issues requiring management attention

• Technology and CybersecurityRiskReporting/Communication:Translate technical risk findings into business-relevant language; prepare risk summaries for management review and decision-making

• Stakeholder Engagement:Partner withcontrol owners,system owners, product team, technologyteamandbusiness stakeholders toidentifyand assess risks throughout the system lifecycle.

Your impact:

Success in this role requires strong collaborative relationships across Chatham. TheInformation Security GRCAnalyst partners closely with theManager of Information Security GRC,and Information Security leadershipto align risk priorities with security strategy. The analyst will interact on a regular basiswithtechnology and information security control owners to ensure controls areproperly designed, implemented, andmonitored.The analyst engages withOperational Riskto integratetechnology andcybersecurity risks intothe operationalrisk framework and reporting. Finally, collaboration withexternal auditorsduring SOC 2 and regulatory examinationsvalidatesthat risk management practices meet industry standards and client expectations.

Contributors to your success:

• Bachelor's degree, preferablyin Information Security, Computer Science, Risk Management, or relatedexperience in the field.

• 3-5+ years of experience in ITaudit, ITrisk management,executingsecurity assessments, orexperienceina relatedTechnology, IT Audit or DataGovernance,role.

• Experiencein supporting/coordinating companySOC 2Trust Services Criteriaaudits or conducting SOC 2 audits.

• Experience inconductingtechnology and securityrisk assessments using NIST, ISO 27005, or similar methodologies

• Strong understanding ofCybersecurity risks and mitigation strategies as well asfunctional experience withthreat modeling, vulnerability analysis, and risk quantificationand follow through.

• Knowledge of security frameworks: NIST CSF, NIST 800-53, ISO 27001, Center of Internet Security (CIS),SOC 2Trust Services Criteria,Cloud Control Matrix (CCM)

• Knowledge ofthird-party security assessmentsand/or data protection/impact assessments.

• Excellent analytical and written communication skills

• Certifications preferred: CRISC,CDPSE,CISA, CISSP, ISO 27001 Lead Auditor/Lead Implementer

• Other Certificationsconsidered:CGEIT, CCSK,CompTIA Security+, CompTIACySA+, CISSP-Associate, GIAC/GSEC, PMP/CAPM, AWS Cloud Practitioner, Azure Cloud Practitioner
  

* This is a contract position working 40 hours a week