About the position
The Commonwealth of Pennsylvania is seeking a Technical Security Risk & Governance Analyst to support its enterprise cybersecurity program. This role focuses on performing security risk assessments, control testing, governance, and compliance activities across on-premises and cloud environments. The analyst will collaborate with IT, audit, and business stakeholders to ensure security controls align with state policies and industry frameworks.
Responsibilities
• Conduct technical security risk assessments for on-prem, cloud (IaaS/PaaS/SaaS), and hybrid systems.
• Perform control design and operating effectiveness testing aligned with NIST CSF/800-53, CIS Controls, and ISO 27001.
• Support Authority to Operate (ATO), continuous monitoring, and security attestations.
• Maintain and update security policies, standards, procedures, and control libraries.
• Coordinate internal and external audits (HIPAA, CJIS, PCI DSS, FERPA, IRS Pub 1075).
• Perform third-party/vendor security reviews and support secure procurement activities.
• Develop dashboards and reports using Excel and Power BI for leadership reporting.
• Provide security guidance during incident response and change advisory reviews.
Requirements
• Bachelor’s degree in Information Security, Computer Science, Information Systems, or equivalent experience.
• 1–3 years of experience in information security, risk management, audit, or a related technical role.
• Strong knowledge of security frameworks: NIST CSF/800-53, ISO 27001, CIS Controls.
• Experience with risk analysis, control testing, and security documentation.
• Proficiency with Excel, Power BI, and reporting to technical and non-technical audiences.
Nice-to-haves
• Security certifications: CISSP, CISM, CRISC, CGRC (CAP), Security+, CCSP/CCSK, or CISA.
• Cloud security experience with AWS, Azure, and/or Google Cloud.
• Knowledge of IAM, network security, logging/SIEM, encryption, and DevOps security practices.