Job Description:

Overview:

This role sits within the Information Security Governance, Risk and Compliance (GRC) team, which reports directly into the CISO organization. The GRC team serves as the central function responsible for managing the enterprise's security risk posture, ensuring regulatory compliance, and maintaining the policy and control framework that governs information security across Chatham. This team works cross-functionally, partnering closely with Product and Technology teams to embed security into development and infrastructure initiatives, Human Resources for security awareness and personnel security matters, Operations for business process alignment, and all Chatham business units to ensure security requirements support business objectives. The team also maintains critical relationships with Operational Risk to align cybersecurity risk management with enterprise risk frameworks and serves as the primary liaison to external auditors for SOC 2, regulatory examinations, and other assurance activities.

In this role you will:

The Information Security GRC Analyst with a Risk and Policy focus is responsible for assisting in the execution of the organization's security risk management program and supporting policy governance. This role takes the lead in conducting the security risk assessments for Chatham systems, vendors and business processes. This role is responsible for maintaining the technology and cybersecurity risks on the operational risk register; tracking issues and risk mitigation activities; and supports policy development. This role is also responsible for translating technical risks into business-relevant recommendations, recommending risk-based decisions, documenting decisions on risk treatment, tracking risk mitigation action plans to completion and reviewing systems/processes for policy compliance.

• Risk Assessment Execution: Conduct technology and security risk assessments for internal systems, product and technology projects using established frameworks (NIST SP 800-30, ISO 27005, etc.)

• Technology and Cybersecurity Risk Register Management: Maintain the technology risk register (includes Cybersecurity) documenting threats, vulnerabilities, impacts, likelihood, risk ratings, and treatment decisions; ensure consistent updates with stakeholder input

• Technology and Cybersecurity Risk Mitigation Tracking: Document risk treatment plans with action items, responsible parties, and target dates; track remediation progress; verify risk reduction upon closure

• Technology and Cybersecurity Policy Support: Support policy lifecycle activities including drafting, review, and updates; ensure policies alignment based on industry standards such as NIST, ISO 27001, etc.,

• Cybersecurity and Information Security Risk Metrics Development: Develop and report risk metrics and KRIs; analyze trends in risk posture; identify systemic issues requiring management attention

• Technology and Cybersecurity Risk Reporting/Communication: Translate technical risk findings into business-relevant language; prepare risk summaries for management review and decision-making

• Stakeholder Engagement: Partner with control owners, system owners, product team, technology team and business stakeholders to identify and assess risks throughout the system lifecycle.

Your impact:

Success in this role requires strong collaborative relationships across Chatham. The Information Security GRC Analyst partners closely with the Manager of Information Security GRC, and Information Security leadership to align risk priorities with security strategy. The analyst will interact on a regular basis with technology and information security control owners to ensure controls are properly designed, implemented, and monitored. The analyst engages with Operational Risk to integrate technology and cybersecurity risks into the operational risk framework and reporting. Finally, collaboration with external auditors during SOC 2 and regulatory examinations validates that risk management practices meet industry standards and client expectations.

Contributors to your success:

• Bachelor's degree, preferably in Information Security, Computer Science, Risk Management, or related experience in the field.

• 3-5+ years of experience in IT audit, IT risk management, executing security assessments, or experience in a related Technology, IT Audit or Data Governance, role.

• Experience in supporting/coordinating company SOC 2 Trust Services Criteria audits or conducting SOC 2 audits.

• Experience in conducting technology and security risk assessments using NIST, ISO 27005, or similar methodologies

• Strong understanding of Cybersecurity risks and mitigation strategies as well as functional experience with threat modeling, vulnerability analysis, and risk quantification and follow through.

• Knowledge of security frameworks: NIST CSF, NIST 800-53, ISO 27001, Center of Internet Security (CIS), SOC 2 Trust Services Criteria, Cloud Control Matrix (CCM)

• Knowledge of third-party security assessments and/or data protection/impact assessments.

• Excellent analytical and written communication skills

• Certifications preferred: CRISC, CDPSE, CISA, CISSP, ISO 27001 Lead Auditor/Lead Implementer
• Other Certifications considered: CGEIT, CCSK, CompTIA Security+, CompTIA CySA+, CISSP-Associate, GIAC/GSEC, PMP/CAPM, AWS Cloud Practitioner, Azure Cloud Practitioner

* This is a contract position working 40 hours a week