Information Security: Governance, Risk, & Compliance Analyst

Location: West Pittsburgh, PA

Job Type: Full Time / Permanent

The Security Analyst will be responsible for performing Information Security vendor risk assessments, assisting in the validation and reporting of IT compliance activities (e.g. PCI), developing and maintaining documents relevant to the organization’s policy lifecycle, and contributing to the overall improvement and growth of department projects. This individual will partner with a variety of departments to support and communicate the results of governance, risk and compliance activities across the organization.


  • Facilitate, monitor and report on information security vendor risk assessments based on industry best practices and corporate policy requirements.
  • Evaluate vendor responses to identify information security risks and collaborate with company and vendor personnel to understand and document relevant compensating controls.
  • Support IT compliance activities (e.g. PCI), throughout the company and its subsidiaries.
  • Act as liaison between third party assessors and business stakeholders for related compliance efforts and perform relevant self-assessments against organizational IT compliance requirements.
  • Develop and maintain information security policies, standards, procedures and guidelines in accordance with evolving best practices and technologies.
  • Contribute to the performance, improvement and growth of Information Security Governance, Risk and Compliance processes and projects

Education & Experience:

  • Bachelor’s Degree in Computer Science or Information Systems
  • 3-5 Years Experience
  • Third Party Risk assessments
  • PCI/SOX assessments
  • Governance, Risk, and Compliance
  • CISM
  • CISA
  • Proficiency in Microsoft Office Suite
  • Experience with managing and/or implementing eGRC tools
  • Self-motivated to learn, manage and continuously improve the Information Security GRC programs.
  • Previous PCI assessment experience a plus.
  • Broad understanding of security fundamentals and general security technologies, including operating systems, network security (firewalls, VPNs, IPsec), security event management, cryptography, directory services, etc.