Information Security Analyst

Overview

Make an impact at Analysis Group, where we provide our clients with thoughtful, pragmatic solutions to their most challenging business and litigation problems. Analysis Group is one of the largest private economics consulting firms, with more than 1,200 professionals across 14 offices in North America, Europe, and Asia. Since 1981, we have provided expertise in economics, finance, health care analytics, and strategy to top law firms, Fortune Global 500 companies, and government agencies worldwide. Our internal experts, together with our network of affiliated experts from academia, industry, and government, offer our clients exceptional breadth and depth of expertise.

The Information Security Analyst will work with the Director of Information Security and Risk Management on the continuous improvement and development of the firm’s cybersecurity, compliance, and governance programs. As the Information Security Analyst, you are the organizing force responsible for providing oversight, coordination, and execution of the supporting activities for successful internal/external compliance and regulatory audits. This position will be responsible for collaborating with key stakeholders to ensure risks are managed effectively and efficiently in accordance with firm policies and applicable regulatory requirements.

Essential Job Function & Responsibilities:

• Governance SupportManage the annual review process for policies, procedures, and standards.Develop and manage a security policy exception process.Develop and maintain Information Security and GRC metrics.Support the Information Security Steering Committee (ISSC) as needed.
• GRC OperationsDevelop a solid foundation in Information Security GRC concepts and processes.Manage the selection, implementation, and operation of GRC tools.Automate the collection of control test and internal audit data with low-code tools.Drive continuous improvement of the InfoSec GRC program.
• Risk Management SupportOrganize the Risk Management Committee (RMC) and coordinate risk management processes.Maintain the Risk Register.Manage the control test and reporting process.Develop and maintain risk management metrics, reports, and dashboards.Support control enhancement and/or gap remediation projects.
• Compliance SupportDevelop a repeatable approach to managing NIST 800-53 and SOC 2 Type II audit requirements and testing procedures.Manage internal audit processes.Coordinate information security responses in support of external/third party audits.Manage Corrective Action Plans and/or Plan of Action & Milestones (POA&Ms).
• Security Operations and ReportingMonitors, collects, and analyzes cybersecurity data and develops KPI and metrics reports.Performs vulnerability scans, conducts risk assessments, and oversees the vulnerability management remediation process.Perform cyber-security related tasks such as phishing analysis and access control reviews.
• ISO 27001 Compliance:Proactively identify gaps or conflicts in existing policies and processes.Educate and train process/control owners to ensure understanding of the security controls framework and their responsibilities.Assist with and drive remediation of process and control deficiencies and gaps identified internally and externally.Assemble, organize, and implement applicable documentation (e.g. SOA, procedures).
• Security Awareness and TrainingPartners with the stakeholders to improve security procedures, training, IT processes, and the security of existing systems.Manage phishing training campaigns and follow up / remedial training.Manage and support the effectiveness of the Data Security Awareness and Training program.

Qualifications:

• Bachelor’s degree required. Degree in Information Systems Security or related field preferred.
• Minimum of 2 years substantive relevant experience required.
• An ideal candidate will have 2-5 years of experience in cybersecurity.
• Knowledge of and experience in information security and monitoring systems.
• Familiarity/comfort level working with IT Security software and hardware.
• Strong writing / documentation / presentation skills.
• Highly organized.
• Strong communication skills.
• Self-starter with the ability to work independently, while having good judgment as to when consultation is required.
• Ability to work on multiple projects and perform well under deadlines.
• Enthusiastic, flexible, willing to pitch in where needed.
• Strong drive to learn and grow in the cyber security field.
• Experience with control standards and frameworks such as FedRAMP, HIPAA, NIST 800-53, SOC 2, or ISO 27001. You have participated in various forms of internal controls review, testing, or internal audit.
• Must be a natural collaborator, communicate effectively, and be flexible to changing business conditions.
• An inclusive and growth-oriented mindset, strong interpersonal skills, and an ability to work across differences.
• To the extent permitted by applicable law, eligible candidates must be authorized to work in the United States without sponsorship or restriction, now and in the future.

Analysis Group embraces diversity and equal opportunity in a deep and meaningful way. We are committed to building teams that represent a variety of backgrounds, perspectives, and skills. The more inclusive we are, the better our work will be.

We provide equal access and opportunities regardless of sex, sexual orientation, gender, gender identity, gender expression, age, religion, race, color, ethnicity, national origin, ancestry, mental and physical ability or disability, medical condition, genetic information, citizenship status, socioeconomic status, veteran and military status, or membership in any other class protected under applicable law. We encourage candidates of all backgrounds to apply.

­

• Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities.
• Please view Equal Employment Opportunity Posters provided by OFCCP .
• The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor's legal duty to furnish information. 41 CFR 60-1.35(c)