GRC Analyst/Cybersecurity Audit Analyst

Cybersecurity Audit Analyst (3) / GRC Policy Analyst Boston, MA, 02115 Description Hybrid 2-3 days per week on-site in Boston The EOTSS Enterprise Risk Management (ERM) program is seeking a qualified Cybersecurity Audit Analyst with a minimum of five (5) years of relevant experience. The selected candidate will play a key role in executing and enhancing the Commonwealth s cybersecurity audit program, including both internal audit activities and coordination of external audit responses. This position requires strong knowledge of cybersecurity frameworks, auditing methodologies, and risk management practices , along with the ability to work collaboratively across agencies and organizational levels. As a member of the ERM team, you will significantly contribute to the Commonwealth-wide governance, risk and compliance program ensuring compliance with all relevant legislative, regulatory, statutory, and contractual requirements related to Information Security. The incumbent will collaborate with various members and levels of the organization to ensure we are reviewing and updating our applications, systems, user lists, and vendor reviews on a regular periodic and continuing basis. The primary work location for this role will be at One Ashburton Place Boston, Massachusetts 02108. The work schedule for this position is Monday through Friday, 9:00AM - 5:00PM EST. This position follows a hybrid work model, with a minimum onsite presence of approximately 40% (typically two days per week), with specific expectations determined by the Line of Business based on operational needs. Occasional local travel to industry-related events or Commonwealth offices may be required.

Responsibilities include:

Internal audit review Assist deputy chief risk officer, continue to formalize and automate the ERM audit program Conduct regularly scheduled reviews of EOTSS internal processes to ensure recommended risk mitigating controls are fully implemented, followed, documented and effective. Coordinate with ERM risk analysts to ensure internal reviews include current mitigating control recommendations Employ analytical skills to conduct audit tests, participate in meetings and interviews, and assess procedural documentation Create comprehensive reports of audit findings to inform staff and executives of needed updates or improvements Proactively inform senior management of significant risks or exposures related to internal controls, compliance, and/or governance requiring prompt attention Manage the process to track, follow up, and ultimately ensure closure of all open audit issues External audit response Coordinate and follow through with numerous individuals for various audit responses Obtain and provide comprehensive responses to internal and external audit requests. Build and maintain positive working relationships across all levels and functional areas. Meticulously track and document responses to and from multiple sources in a timely and succinct manner. Oversight of the internal audit liaison program Assist documentation of ERM audit program practices and procedures to include templates and reference guides. Plan and schedule program deliverables, goals, milestones.

Required ERM Knowledge, Skills & Abilities:

• At least five (5) years of experience in cybersecurity audit, IT audit, risk management, or compliance
• Strong knowledge of cybersecurity and control frameworks (e.g., NIST, CIS Controls)
• Experience performing audits, risk assessments, program evaluations, and conducting research using quantitative and qualitative methods in a government or highly regulated environment.
• Demonstrate ability to multitask, prioritize, and meet deliverables for various and fluid responsibilities and initiatives.
• Exceptional organizational skills include acute attention to detail especially involving the gathering, updating, tracking, and reporting of data from multiple sources.
• Ability to maintain a consistent and timely follow-through of all requests requiring a response from various members and all levels of the organization.
• A working knowledge of IT, Network infrastructure, software application and software vendor disciplines desired.

Required General Knowledge, Skills & Abilities:

Strong work ethic

• Excellent verbal and written communication skills
• The ability to work independently as well as part of a team.
• Strong adaptability to evolving challenges and changing priorities.
• Ability to think critically, analyze situations, solve problems, and make informed decisions to address complex challenges.
• Strong ability to understand and effectively communicate (verbally and written) across varying levels of the organization.
• Some technical knowledge is preferred.