Sr Analyst GRC Cybersecurity Job Listing at NRECA in Arlington, VA (Job ID R2026-840)

Description

Job Description

NRECA is a unique national trade association providing advocacy, financial services and business support services to over 900 consumer owned electric cooperatives across the country.  NRECA employees are united by our mission, inclusive culture, collaborative workplace and commitment to service excellence.  As a “best place to work” employer, we operate with integrity, transparency and a spirit of innovation.

Join IT at NRECA where we are more than a team, we are a community. Guided by the core tenets of Simplicity, Security, Continuity, Transparency, and Flexibility, we strive to deliver business value through collaboration, ideation, and innovation. Become an integral part of a community driven to continuously improve our processes and transform how we work – in partnership with our colleagues and in service to our members.

This position leads key functions within Cybersecurity Governance, Risk, and Compliance, including cybersecurity risk identification, assessment, prioritization, and lifecycle governance, as well as compliance and issue management. The ideal candidate will have experience analyzing findings to strengthen controls, improve governance processes, and advise IT and business stakeholders on mitigation strategies. This position is eligible for NRECA's hybrid schedule which allows for flexibility to work from home up to 2 days per/week.

Key Responsibilities

• Advises IT and business units by leading activities to identify, assess, and prioritize cybersecurity risks, ensuring alignment with legal, regulatory, contractual, policy, and standard requirements.
• Partners with risk and control owners to develop, implement, and maintain risk registers and metrics; governs and reports on risks and mitigations throughout the lifecycle; maintains risk management policies, standards, and the assessment plan.
• Manages compliance and issue management activities, coordinating with regulators and auditors to track and remediate issues. Tests controls for design and effectiveness and partners with owners to implement remediation, reporting on findings and status.
• Analyzes findings to identify vulnerabilities and opportunities to strengthen controls, governance, and mitigation. Proactively advises leaders on improvements and ensures proper prioritization and escalation of risks.
• Performs cybersecurity risk governance, ensuring activities follow the governance framework and reporting on conformance.
• Facilitates monthly security risk meetings to report activities, metrics, risks, and improvement opportunities.
• Optimizes the risk governance framework based on best practices and guides IT and business stakeholders in implementing governance requirements.
• Leads development of third-party risk management policies and standards and advises on the annual assessment plan; works closely with stakeholders on third party assessments and risk management. ‑party risk management policies and standards and party assessments and risk management.
• Defines risk and control requirements for systems, data, and technology across cloud, on premises, and third-party environments; assesses system designs for risks and cybersecurity noncompliance. ‑premises, and third‑party environments; assesses system designs for risks and cybersecurity non‑compliance.
• Maintains and continually develops expertise in GRC trends, technologies, and evolving methods to ensure organizational alignment with current practices.

Required Qualifications and Skills

• Bachelor's in Computer Science, Management Information Systems, Information Security, or related field.
• 7+ years of experience in IT and information security risk management, compliance, audit, and governance.
• 7+ years of experience leading and conducting information security risk assessments, control audits, and third-party security risk assessments.
• Strong technical knowledge of IT and information security technologies, including AWS, Azure, and M365.
• Experience with information security frameworks, standards, and best practices such as NIST CSF, NIST RMF, NIST 800-30, NIST 800-53, NIST 800-171, HIPAA, SOC2, CIS, ISO 27001/27002, and COBIT.
• Experience with GRC tools, reports and dashboards development, and compliance automation.
• Ability to report to the office

Preferred Qualifications and Skills

• Technical knowledge pertaining to security hardening of OS, applications and networks
• Experience reviewing system or network designs for risk and compliance that encompass multiple enclaves/networks, including those with different data protection or classification.
• Conducted Third-Party Security assessments reviewing contracts for security requirements and inserting risk management practices within existing processes.
• Led the implementation of technical security controls across all phases of the SDLC, ensuring alignment with security architecture standards and compliance requirements.
• Preferred Certifications:
  • Information Systems Security Professional (CISSP)
  • Risk and Information Systems Control (CRISC)
  • Certified Information Systems Auditor (CISA)
  • Certified Information Systems Manager (CISM)

Essential Physical Requirements

• The worker is required to have close visual acuity to perform an activity such as: preparing and analyzing data and figures; transcribing; viewing a computer terminal and extensive reading.
• Exerting up to 20 pounds of force occasionally, and/or up to 10 pounds of force frequently, and/or a negligible amount of force constantly to move objects. If the use of arm and/or leg controls requires exertion of forces greater than that for sedentary work and the worker sits most of the time, the job is rated for light work.

Disclaimer Statement: The preceding job description has been written to reflect management's assignment of essential functions. It does not prescribe or restrict the tasks that may be assigned.

Additional Requirement:

The preceding job description has been written to reflect management's assignment of essential functions. It does not prescribe or restrict the tasks that may be assigned.  All qualified applicants will receive consideration for employment without regard to race, color, sex, sexual orientation, gender identity, religion, national origin, disability, veteran status, or other legally protected status.

NRECA is committed to working with and providing reasonable accommodation to individuals with physical and mental disabilities. If you need special assistance or an accommodation while seeking employment, please e-mail humanresources@nreca.coop or call: 703-907-5992 - NRECA Arlington Human Resources. Please call 402-483-9275 - NRECA Lincoln Human Resources, for Lincoln, NE employment opportunities. We will make a determination on your request for reasonable accommodation on a case-by-case basis.

The U.S. Equal Employment Opportunity Commission (EEOC) recently released the 'Know Your Rights' poster, which updates and replaces the previous "EEO is the Law" poster and "EEO Is the Law Poster Supplement". 

Pay Transparency Non-Discrimination. NRECA will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay. Please see the Pay Transparency Nondiscrimination Provision for more information.

E-Verify. As a Federal Contractor, NRECA is required to participate in the E-Verify Program to confirm eligibility to work in the United States. For information please click on the following link: E-Verify.

For more information about life at NRECA please visit www.Electric.coop.