Find JobsSalary EstimateCareer AdviceUpload ResumeEmployers / Post JobProfileMessage Center

Cybersecurity Risk Assessor (Mid-Level)

Security Assurance, LLC

ROCKVILLE, MD

Apply
JOB DETAILS
JOB TYPE
Full-time, Employee
SKILLS
Analysis Skills, CISA - Certified Information Systems Auditor, CISSP - Certified Information Systems Security Professional, CompTIA Security+, Documentation, External Audit, HIPAA (Health Insurance Portability and Accountability Act), Industry Standards, Information/Data Security (InfoSec), Internal Audit, Internet Security, Maintain Compliance, Metrics, Network Security, PCI, PCI-DSS, Regulations, Reporting Dashboards, Risk, Risk Analysis, Risk Management, Risk Management Framework (RMF), Risk Modeling, Security Policy, ServiceNow, Systems Administration/Management, Threat Modeling, Time Management, U.S. National Institute of Standards and Technology (NIST), Vendor/Supplier Selection, Vulnerability Scanners
LOCATION
ROCKVILLE, MD
POSTED
2 days ago

The Risk Assessor will play a central role in operationalizing risk reviews, providing defensible risk ratings, identifying compensating controls, and helping departments reduce or accept risk in a documented, auditable manner. This supports strategic objectives related to HIPAA compliance, CJIS certification, PCI standards, and internal control monitoring under NIST SP 800-53.

Key Responsibilities:

  • Review policy and security risk exception requests submitted by internal departments using the ServiceNow GRC platform
  • Perform structured risk assessments, analyze compensating controls, determine residual risk, and provide formal recommendation regarding the acceptance or denial of exception requests.
  • Apply industry standard risk rating models (e.g. NIST SP 800-30, FAIR, qualitative matrices) to all risk assessments
  • Collaborate with stakeholders (data owners, system administrators, compliance leads) to communicate risk, document justifications, and suggest mitigation strategies.
  • Assist with tracking and closure of internal and external audit findings.
  • Support internal control assessments and monitor compliance with HIPAA, CJIS, PCI DSS, and Maryland PIPA.
  • Review SOC 1 and SOC 2 reports from third-party vendors, identify control exceptions and user control considerations.
  • Contribute to GRC documentation including policies, procedures, workflows, and risk rating methodologies.
  • Support remediation of audit findings and internal control deficiencies.
  • Contribute to GRC reporting metrics, dashboards, and executive summaries.

Knowledge/Skills/Abilities:

  1. Bachelor's Degree with 3-5 years (or commensurate experience) of experience as a Security Control or Risk Assessor.
  2. Strong Technical background able to understand network diagrams, threat models and vulnerability and compliance scans.
  3. Strong understanding of information security principles, regulatory frameworks, and control families (e.g., NIST 800-53, NIST RMF 800-37, HIPAA, PCI).
  4. Ability to conduct structured risk assessments, to include the analysis of compensating controls, residual risk determination, application of quantitative risk models, and providing formal recommendation regarding the acceptance or denial of exception requests.
  5. Experience conducting assessments based on the NIST Risk Management Framework approach
  6. Experience reviewing and interpreting SOC 1/SOC 2 reports and vendor attestations
  7. Proficiency in using GRC platforms (ServiceNow preferred) for workflow management and documentation
  8. Ability to work independently, meet deadlines, and communicate complex risk concepts to business units.
  9. Experience supporting third-party assessments, audit responses, or internal control monitoring.
  10. Experience reviewing policy exceptions, risk acceptances, or control deviations in a regulated environment.

Industry certifications such as CISSP, CGRC, CISA, CRISC, or Security+ preferred.

About the Company

S

Security Assurance, LLC

INDUSTRY
Computer/IT Services