Job Description
We’re seeking an operational Information Security Risk Analyst to run high-throughput, repeatable information security risk assessments aligned to our clients InfoSec Risk Management Framework (RMF). This role is process-driven: you’ll apply a defined methodology, keep immaculate records, produce consistent scoring, and move assessments (via good partnership with key team leads) from intake → analysis → treatment → acceptance without drift. When third-party risk (TPRM) volume spikes or our primary assessor is out, you’ll flex to perform InfoSec assessments on vendors using the same disciplined approach.
What you’ll do
● Execute end-to-end risk assessments across products, platforms, processes, and changes, following the RMF stages of Identification →Analysis → Evaluation and documenting impacted assets, threats, existing controls, vulnerabilities, and consequences.
● Apply consistent scoring using defined likelihood/impact scales (Low=1, Medium=2, High=3) and the Risk Score = Probability × Impact formula; determine Low/Medium/High levels per thresholds.
● Drive treatment decisions (mitigate/retain/avoid/share) and produce clear treatment plans with owners and dates.
Manage acceptance and escalation based on criteria (e.g., Medium → Director; High → VP) and ensure approvals are recorded.
● Maintain the Risk Register with current statuses, residual risk, review dates, and evidence.
● Communicate results and treatment plans to stakeholders; keep two-way communication flowing and traceable.
● Monitor and trigger re-reviews when assets, threats, or vulnerabilities change; schedule periodic reassessments.
Report posture and trends (e.g., risk distribution, SLA adherence, overdue treatments) at the cadence required.
● Flex to TPRM: perform vendor security assessments using our TPRM workflow when inbound volume is high or the dedicated resource is OOO; document results to the same standard as internal assessments.
We are a company committed to creating diverse and inclusive environments where people can bring their full, authentic selves to work every day. We are an equal opportunity/affirmative action employer that believes everyone matters. Qualified candidates will receive consideration for employment regardless of their race, color, ethnicity, religion, sex (including pregnancy), sexual orientation, gender identity and expression, marital status, national origin, ancestry, genetic factors, age, disability, protected veteran status, military or uniformed service member status, or any other status or characteristic protected by applicable laws, regulations, and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application or recruiting process, please send a request to HR@insightglobal.com.To learn more about how we collect, keep, and process your private information, please review Insight Global's Workforce Privacy Policy: https://insightglobal.com/workforce-privacy-policy/.
Required Skills & Experience
● 2–5 years hands-on experience running information security risk assessments in an operational capacity (NIST RMF / NIST SP 800-30).
● Proven ability to apply a predefined process consistently: intake → scoping → risk statement → likelihood/impact scoring → treatment → acceptance → register updates.
● Strong grasp of NIST SP 800-37 (RMF) and NIST SP 800-53 control families; ISO 27005 familiarity is a plus.
● Comfortable evaluating evidence: policies/standards, SOC 2 Type II, ISO/IEC 27001 certificates, penetration test reports, vulnerability scans, and cloud configuration artifacts.
● Experience managing a risk register and assessment queue with SLAs; high throughput without quality drift.
● Tooling fluency with GRC/risk platforms (e.g., ServiceNow GRC, Archer, OneTrust, or similar) and solid spreadsheet hygiene (filters, pivots, data validation).
● Clear, concise writing for risk statements, treatment plans, acceptance memos, and stakeholder updates.
Nice to Have Skills & Experience
● Certifications such as CompTIA Security+, CRISC, CISA, CASP+, CISSP, or FAIR Foundations.
● Familiarity with Airtable.
● Experience in game/dev, live services, or large-scale cloud environments.
● Familiarity with SIG/CAIQ or similar for vendor questionnaires (for TPRM flex work).
● Light scripting/automation (e.g., Python, SQL, or Excel macros) to streamline repetitive QA and reporting tasks.
Benefit packages for this role will start on the 31st day of employment and include medical, dental, and vision insurance, as well as HSA, FSA, and DCFSA account options, and 401k retirement account access with employer matching. Employees in this role are also entitled to paid sick leave and/or other paid time off as provided by applicable law.