Technical Security Risk & Governance Analyst
Job Description
**Contract Duration:**
03/02/2026 – 06/30/2026
**Work Location:**
Harrisburg, PA
**Onsite vs. Remote:**
Hybrid – Approximately 40 percent onsite
**Interview Type:**
Virtual
**Onsite Requirements:**
Two days per week onsite in Harrisburg
**Onsite Address:**
Harrisburg, PA
**Residency Requirements:**
Must be eligible to work in the United States
**Visas Accepted:**
USC, GC, H1B, GC EAD
**Schedule:**
Monday through Friday, 8 hours per day, up to 40 hours per week.
**Role Overview**
Our client’s EISO office is seeking a Technical Security Risk and Governance Analyst to support the Commonwealth’s cybersecurity program. This role focuses on enterprise risk assessment, control testing, and governance activities across applications, infrastructure, and cloud environments.
The Analyst partners with IT teams, business owners, and audit stakeholders to ensure security controls are properly designed, implemented, and operating effectively in alignment with state policy and recognized security frameworks.
**Key Responsibilities**
– Conduct technical security risk assessments across on-premises, cloud, and hybrid environments
– Document identified risks including likelihood, impact, and recommended mitigations
– Perform control design and operating effectiveness testing aligned to security frameworks
– Support Authority to Operate processes, attestations, and continuous monitoring activities
– Facilitate threat modeling and security architecture reviews
– Maintain and update security policies, standards, procedures, and control libraries
– Map agency controls to regulatory mandates and track compliance gaps
– Coordinate internal and external audits including evidence collection and remediation tracking
– Contribute to governance, risk, and compliance tooling including risk registers and issue tracking
– Establish governance processes for vulnerability management including SLAs and exception handling
– Perform third-party security reviews and evaluate vendor security documentation
– Develop dashboards and performance indicators to report on risk posture and control maturity
– Produce reports for technical and non-technical stakeholders
– Provide risk-informed guidance during incident response and change management reviews
**REQUIRED EXPERIENCE AND SKILLS**
**Education And Experience**
– Bachelor’s degree in Information Security, Computer Science, Information Systems, or related field, or equivalent experience
– Minimum 3 years of experience in information security, risk management, audit, or related technical role
**Security Frameworks and Compliance**
– Knowledge of NIST CSF and NIST SP 800-53
– Knowledge of CIS Controls and ISO 27001
– Familiarity with CJIS, IRS Publication 1075, HIPAA, FERPA, PCI DSS, and state security policies
**Technical Security Domains**
– Identity and Access Management
– Network security and segmentation
– Endpoint security
– Vulnerability management
– Logging and SIEM
– Encryption and PKI
– Cloud security concepts including shared responsibility models
**Risk and Governance Capabilities**
– Experience conducting technical assessments and control testing
– Ability to validate configurations and interpret vulnerability scan results
– Experience with risk analysis and documentation including risk treatment planning
– Experience using GRC platforms including building workflows, control libraries, and risk registers
– Experience with data analysis and dashboarding using Excel or Power BI
– Ability to produce concise reports and present findings to senior leadership
**PREFERRED QUALIFICATIONS**
– CISSP, CISM, CRISC, CGRC, Security+, CCSK, CCSP, or CISA
– AWS or Azure cloud security certifications
**SITE NOTES**
– Enhanced background check required
– May require CJIS or IRS Publication 1075 clearance depending on data systems
– Occasional travel to agency sites or data centers may be required
– Participation in after-hours change windows or incident response as needed
