IT Risk and Architectural Standards Compliance Analyst

Department: Information Technology

Classification: Info Technology Spec 2

Job Category: Classified Staff

Job Type: Full-Time

Work Schedule: Full-time (1.0 FTE, 40 hrs/wk)

Location: Fairfax, VA

Workplace Type: Hybrid Eligible

Pay Band: 05

Salary: Salary commensurate with education and experience

Criminal Background Check: Yes

About the Department:

George Mason University's Information Technology Services (ITS) organization provides information technology resources, systems, services, tools, and training to the university community. ITS' mission is to deliver enabling technology to the George Mason community by leveraging reliable and secure services. The organization consists of six groups: Enterprise Infrastructure Services, Enterprise Applications, Learning Support Services, IT Security Office (ITSO), Enterprise Service Delivery; Academic Strategies, and dotted line reporting to Research Computing.

The IT Risk and Compliance (ITRC) team works closely with other ITS groups to define and document service designs and strategies, promote the adoption and practice of consistent policies and processes, and, jointly with the IT Security Office, to identify and mitigate risk and compliance issues associated with ITS policies and processes. ITRC facilitates the Architectural Standards Review Board (ASRB) which, to ensure standards and legal obligations are met, reviews software for approval prior to purchase. Additionally, ITRC also provides audit support and coordination, oversight of the remediation activities, IT risk and compliance reporting, conducts Third-Party Risk Management (TPRM) activities, manages the application administration of the Archer Integrated Risk Management (IRM) tool, and oversees the delivery and enforcement of the IT Security Awareness training.

About the Position:

The IT Risk and Architectural Standards Compliance Analyst works with the various ITS teams and University stakeholders to ensure that ITS-managed services, systems, and processes adhere to defined standards. Tasks may include but are not limited to participating in the specification and selection of standards and guidelines; staying aware of current regulations and potential audit points pertaining to IT services and service management; performing assessments, documenting results, and reporting perceived deficiencies to management; coordinating audit inquiries and responses with internal and external auditors and impacted ITS teams. A major focus of this position include conducting assessments on existing and proposed solutions, reviewing security and compliance in the context of established controls and requirements, establishing and maintaining productive collaborations with the University departments, collaborators, and customers in supporting functions such as the Architectural Standards Review Board assessments, other control assessments, audit support, issues management, and risk treatment activities.

Responsibilities:

• Monitors identified systems and processes within ITS to assess adherence to established policies and standards;
• Develops and maintains risk assessments, System Security Plans (SSPs), Plan of Action and Milestones (POA&Ms) and other documentation as needed in support of the systems and program;
• Works closely with various departments, stakeholders, and IT Security Office to review, refine, and track effectiveness of technical security controls;
• Uses knowledge of applicable regulations, frameworks, and standards to assess and report on compliance posture of systems, proposed solutions, conduct risk and compliance analysis and report on outcomes of the Architectural Standards Review Board (ASRB) engagements;
• Ensures that ASRB reviews are prioritized and conducted in a manner that helps the process meet or exceed the promised turnaround times;
• Ensures that annual disaster recovery exercise is conducted by ITS and collaborating departments; 
• Builds partnerships and earns customer trust by socializing IT Risk and Compliance services and looks for ways to continually improve quality of services and customer experience;
• Under general guidance from manager and senior staff, analyzes processes and workflows, and develops process maps and documentation in accordance with established ITS standards;
• Works with ITSO, CISO, and ITS technical teams to develop and document policies and standard operating procedures as needed to meet compliance requirements;
• Participates in process improvement projects and initiatives;
• Effectively elicit details of process requirements and workflows from ITS teams and summarize them accurately;
• Writes clearly and succinctly; and
• Accurately analyzes data and task flows and represents them in understandable diagrams.

ITS Audit Response Coordination

• Under guidance from manager, works with impacted ITS groups to compose and deliver responses to Internal Audit, Auditor of Public Accounts, and other audit teams as required to address findings and open issues;
• May participate in software license compliance audits and software license tracking initiatives;
• May generate status reports for management and Senior Staff; and
• Communicates clearly and professionally with auditors and auditees, customers and others; accurately capture requirements and responses. Exhibits ethical behavior at all times. 

Other Duties as Assigned

• Other duties may involve administrative or technical project work, sometimes assigned with short notice. Satisfactory completion of assigned activities as required. 

Required Qualifications:

• High school diploma or equivalent;
• Demonstrated work experience in an information technology services organization;
• Previous direct working experience with cloud-based platforms such as AWS, Azure, GCP, Salesforce etc.;
• Experience working directly with customers and coworkers to audit, review and/or document work processes;
• Courses or experience in information security or auditing/ IT risk assurance;
• Courses or experience in business analysis;
• Demonstrated experience and knowledge of secure software development and architectural concepts;
• Working knowledge of common Microsoft Office applications including Word, Excel, and PowerPoint;
• Good project and time management skills;
• Excellent oral and written communications and interpersonal skills;
• Demonstrated ability to effectively analyze, organize and present information at appropriate levels for a variety of audiences;
• Demonstrated ability to rapidly acquire, integrate, and analyze information to achieve a result and provide decision support;
• Must possess critical thinking, ability to connect the dots, question status-quo and present credible challenge;
• Solid understanding of common IT security standards, including NIST SP 800-53 and related publications and how to apply them;
• Attention to detail;
• Demonstrated commitment to continual learning;
• Must be a U.S. Citizen or Permanent Resident (Green Card holder), and successfully complete a criminal background check as required by federal law;
• ISC2 Certified Authorization Professional (CAP), ISACA Certified Information Systems Auditor (CISA); and
• CompTIA Security+, ISC2 Systems Security Certified Practitioner (SSCP) or similar basic security certification.

Preferred Qualifications:

• Bachelor’s degree in related field;
• Work experience (typically three or more years) in an information security or related field;
• Previous direct working experience architectural and security reviews on systems and processes;
• Previous direct working experience performing audits or security assessments, control testing, analyzing processes, and/or identifying and implementing process improvements;
• Plans and executes projects and assignments efficiently and effectively;
• Working knowledge of Visio or similar drawing tools; and
• Exercises good judgment, observation, communication, and analytical skills when assessing performance of systems, processes, and personnel.

Instructions to Applicants: 

For full consideration, applicants must apply for IT Risk and Architectural Standards Compliance Analyst at https://jobs.gmu.edu/. Complete and submit the online application to include three professional references with contact information, and provide a Cover Letter/Letter of Intent with CV for review. 

Posting Open Date: January 10, 2025

Posting Close Date: January 24, 2025

Open Until Filled:  No