IT Security Risk and Compliance Analyst - Hybrid
The University of California, San Diego
About this position
Position Description
The IT Security Risk and Compliance Analyst executes processes across the organization to conduct the required IT security risk assessment and compliance program to reduce information security risk, address threats and vulnerabilities to information assets, monitor compliance to policy, and improve the overall security posture of the University. The role performs security risk assessments and internal security audits/reviews, supports external audits and accreditation activities, and operates the governance components of the vulnerability management program. This includes vulnerability analysis, risk based prioritization, remediation tracking, validation of remediation effectiveness, and documentation of risk acceptance where remediation is deferred. The position provides recommendations for security controls and ensures follow through through established governance processes to meet campus policy and regulatory requirements such as HIPAA, PCI, FERPA, and related standards. The incumbent maintains clear, audit ready decision records and evidence artifacts that support internal and external audits, regulatory oversight, and legally mandated information requests. This includes documentation of risk assessments, vulnerability decisions, compensating controls, governance approvals, secure handling of sensitive data, access constraints, and defensible evidence production for legal hold and eDiscovery matters. These activities are required elements of HIPAA compliance and are used to prioritize remediation based on risk, including patient safety and operational resiliency impacts where applicable. Thorough, documented risk assessments and compliance programs are foundational components of the Information Security Program and drive security improvement activities across the organization.
Qualifications
Seven (7) years of related experience, education/training, OR a Bachelor’s degree in related area plus three (3) years of related experience/training. Related experience: experience performing security risk assessments and/or internal security reviews to ensure that security controls meet policy and/or regulatory requirements, including evaluating control design and effectiveness. This may include experience in areas such as IT security risk and compliance (GRC), IT audit, vendor/third-party risk assessments, security consulting or assessment roles, or technical security roles with responsibility for evaluating control effectiveness and producing audit-ready documentation. Ability to follow department processes and procedures. Interpersonal skills sufficient to work effectively with both technical and non-technical personnel at various levels in the organization. Experience using IT security systems and tools. Knowledge of data encryption techniques. Knowledge of other areas of IT, department processes and procedures. Demonstrated skills applying security controls to computer software and hardware. Experience in incident response and digital forensics including data collection, examination and analysis. Demonstrated skill at administering complex security controls and configurations to computer hardware, software and networks. Knowledge of computer hardware, software and network security issues and approaches. Demonstrated experience selecting and applying appropriate data encryption technologies.