The City of Boston Department of Innovation and Technology (DoIT) Cyber Security Team is actively growing and seeking to hire a Risk, Compliance & Auditing Analyst. This role will further implement and enhance our current cybersecurity governance model(s). This role will be instrumental in enhancing the City of Boston risk, compliance, and auditing capabilities. This position plays a central role in actively promoting a culture of exceptional cybersecurity practices throughout the City of Boston. This role will report directly to the Director of Risk, Compliance, & Auditing and work closely with the broader Cybersecurity Team, DoIT, and other departments and technology teams throughout the City.

a) Enterprise Risk Management:

• Support the implementation and use of enterprise risk management tools to assist in analyzing, reporting & managing enterprise risks.
• Assist in conducting risk assessments to identify and evaluate potential cybersecurity threats and vulnerabilities.
• Help maintain and update the risk register, providing data and insights for key stakeholders.
• Contribute to the third-party vendor/supplier risk program by gathering data and recommending risk mitigation techniques.

b) Compliance Oversight:

• Assist in ensuring adherence to relevant laws, regulations, and industry cybersecurity standards (e.g., NIST Cybersecurity Framework, PCI-DSS, CJIS, FERPA, HIPAA, etc.).
• Participate in regular compliance assessments to identify gaps and support the implementation of corrective measures.
• Support the City’s vulnerability management program by tracking remediation efforts and following up on outstanding issues.

c) Internal & External Auditing:

• Assist in the execution of the City’s internal technical audit program.
• Provide support during information security external audits and regulatory reviews by gathering and organizing necessary documentation.
• Help audit the effectiveness of IT-related internal processes, controls, risk management, and governance activities.

d) Data Analysis and Reporting:

• Collect and analyze data to support the identification of trends and areas for improvement.
• Prepare basic reports and presentations for senior management under the guidance of the Director.
• Utilize data analytics tools to support risk, compliance, and audit processes.

Performs other related work as required.

• Three (3) years of full-time, or equivalent part-time, experience in Information Security, Risk Management, or business-related fields. A Bachelor's degree in a related field may be substituted for two (2) years of the required experience. A Master's degree can be substituted for three (3) years of the required experience.
• Previous hands-on technical experience is desirable.
• Excellent analytical, problem-solving, and decision-making skills.
• Knowledge of information security & risk management frameworks (e.g., NIST, ISO, etc.).
• Some experience assisting with the management of an enterprise risk management program, compliance, and auditing activities, is desirable.
• Proficiency in data analysis and audit software tools.
• Strong communication and interpersonal skills.
• Ability to manage multiple tasks and meet deadlines.
• Ability to leverage best practices and lessons learned from external organizations and academic institutions dealing with cyber issues.
• Ability to exercise good judgment and focus on detail as required by the job.

BOSTON RESIDENCY REQUIRED

Terms:

Union/Salary Plan/Grade: SENA/ MM1-06

Hours per week: 35