Information Security Policy, Compliance and Risk Analyst (Information

The University of Connecticut
09 Jul 2024
13 Jul 2024
Employer Sector
Technology, IT & Telecoms
Contract Type
Full Time

Under the direction of the Chief Information Security Officer, the Information Security Policy, Compliance and Risk Analyst (Information Security Analyst 2 or 3) is responsible for the development and operation of UConn s Information Security Governance, Risk, and Compliance Program. The analyst develops policy recommendations, standards, risk assessments, and technical solutions. This role will assess, develop, and maintain a set of defined control standards designed to improve UConn s information security posture through periodic assessments against the established standards and industry best practices. The Information Security Policy, Compliance, and Risk Analyst is responsible for investigating a diverse range of policy, compliance, and technical issues across multiple platforms, working with a wide range of clients whose technical skills range from minimal to in–depth.The analyst works among a team of skilled information security and information technology professionals to assess and address problems within a complex network and cloud environment.

The Information Security Policy, Compliance, and Risk Analyst may specialize in a number of areas related to the continuous improvement of policy, compliance, monitoring, detection, and mitigation capabilities as part of the Information Security Office s mission. These include but are not limited to Policy, Compliance, Vulnerability Management, Application Security, Firewalls, VPN, and IDS/IPS, Security Architecture, and other related Information Security disciplines. The Analyst plans, organizes, and establishes priorities related to an assignment; works independently with minimal outside support; and handles sensitive information in a confidential manner.


  • Build, deliver, and manage an effective risk management program based on commonly accepted risk management strategies and frameworks and participate in the development and maintenance of relevant IT policy.
  • Lead compliance initiatives such as: establishing security standards; performing periodic benchmarking assessments against chosen security standards and industry best practices; testing of controls; and engaging in incident response activities as required.
  • Coordinate and participate in risk assessment activities and analyze the output of such activities.
  • Produce and communicate recommendations to remediate risk in line with business objectives, and perform security assessments against systems and applications.
  • Act as a liaison with third parties who are performing security or risk assessments and drive remediation of issues identified by the assessments.
  • Research, evaluate, and recommend information security related hardware and software and produce, maintain, and update documentation.
  • Manage key security processes to ensure the University s compliance with industry regulations (e.g. NIST 800–171, CMMC 2.0, DFARS 252.204–70xx, HIPAA, PCI–DSS) and maintain awareness of external regulations for new or changed requirements.
  • Serve as a key operational member and compliance official for the university s Secure Research Infrastructure program.
  • Draft and maintain systems security plans. Serve as subject matter expert regarding the sufficiency of controls and conformance to documented SSP(s) to address regulatory or compliance framework requirements.
  • Use security tools (Firewall/VPN, Vulnerability Management, IDS/IPS, SIEM) in identifying and investigating threats to the environment, assessing compliance, and identifying risk reduction initiatives.
  • Administer security tools (Vulnerability Management, IDS/IPS, GRC, VRM) to prevent threats and reduce risk in the environment.
  • Monitor Security Information and Event Management (SIEM) platform and other logging environments for security events and alerts to potential (or active) threats, intrusions, and/or compromises.
  • Triage and respond to service requests from customers and internal teams.
  • Participate in incident response activities in the event of cyber security incidents.
  • Identify system security gaps, perform risk assessments, and recommend solutions to ensure best practices and security measures are being met for university systems.
  • Promote security awareness providing direction, advice, and insight in all areas of information security to faculty, staff, researchers, and students of the University community.
  • Maintains awareness of potential and developing threats across applicable industries and disciplines.
  • Other duties as assigned.
  • Design, implement, and maintain new security solutions.
  • Lead major projects/initiatives related to security.
  • Integrate data for use between various applications.
  • Identify enterprise level security gaps, perform risk assessments, and recommend solutions to ensure best practices and security measures are being met across and between enterprise level systems.
  • Creates custom code, api/rest integrations, or other maintainable integrations to facilitate data gathering/sharing across applications and platforms.
  • Ability to operate autonomously and with limited supervision.

Note: Applicants must meet all minimum requirements of a specific level to be considered for the position.
  • Associate's degree and four (4) years of related experience, OR Bachelor s degree and two (2) years of related experience, OR Six (6) years of related experience AND One (1) to three (3) years of experience working in an information security role or supporting an information security program.
  • Demonstrable practical experience overseeing or participating in projects designed to improve institutional adherence to security policies or regulatory compliance.
  • Experience administering an information security tool/platform and interpreting or leveraging the capabilities of that platform.
  • Experience administering a data loss prevention system, governance, risk and compliance system, vulnerability management system, vendor risk management platform, or similar enterprise level platform.
  • Knowledge of current security regulatory requirements including (but not limited to) HIPAA, CMMC 2.0, NIST 800–171, and PCI–DSS security requirements.
  • Experience and competency in threat management and protection protocols.
  • Excellent communication skills and attention to detail and the demonstrated ability to successfully interface with administrators, and technical and non–technical community members at all levels.
  • Demonstrable understanding of common security controls (e.g. Firewalls, IPS/IDS, Network Architecture, Vulnerability Scanners, SIEM/SIM).
  • Demonstrable ability to weigh business needs against security concerns.
  • Demonstrable ability to operate under pressure and manage multiple priorities/deadlines.
  • Associate's degree and six (6) years of related experience, OR Bachelor s degree and four (4) years of related experience, OR Eight (8) years of related experience AND Three (3) to five (5 )years of experience working in an information security role or supporting an information security program.
  • Senior level practical and technical information security experience.
  • Demonstrable experience leading compliance and certification efforts for CMMC, NIST 800–171/2, DFARS 252.204–70xx, HIPAA, or other complex regulatory frameworks which have resulted in successful certification or acceptance of a regulating authority or agency.
  • Relevant information security certification(s) in one or more applicable information security domains.
  • Experience in higher education.
  • Enterprise scale project management experience.
  • Master s degree in information security, computer science, information management, or a related discipline.
  • CISSP/CISA/CISM certification or equivalent.

This is a full–time, permanent position. The University offers a competitive salary, and outstanding benefits, including employee and dependent tuition waivers at UConn, and a highly desirable work environment. For additional information regarding benefits visit: . Other rights, terms, and conditions of employment are contained in the collective bargaining agreement between the University of Connecticut and the University of Connecticut Professional Employees Association (UCPEA).


Employment of the successful candidate is contingent upon the successful completion of a pre–employment criminal background check.


Please apply online at , Staff Positions, Search to upload a resume, cover letter, and contact information for three (3) professional references.

This job posting is scheduled to be removed at 11:55 p.m. Eastern time on June 24, 2024.

All employees are subject to adherence to the State Code of Ethics which may be found at .

All members of the University of Connecticut are expected to exhibit appreciation of, and contribute to, an inclusive, respectful, and diverse environment for the University community.

. click apply for full job details