NORC at the University of Chicago seeks Senior IT Risk and Compliance Analyst to join our DSS Security and Compliance group. The successful candidate will be part of an IT Risk and Compliance team, expert in government security standards and regulations.  

The successful candidate will be part of an IT Risk and Compliance team, expert in government security standards and regulations. The team is responsible for specifying, documenting, validating, and maintaining IT security & privacy controls to ensure compliance with security requirements of clients (principally Government) and corporate standards for data and systems integrity. The team develops and implements tools and processes to measure and track IT risk and compliance metrics. The team provides guidance to IT functional teams on risk and compliance as it pertains to system development, documentation, testing, monitoring, and reporting. The team conducts risk assessments and security impact analyses of information systems.   

Location: This is a hybrid role based in our Chicago Loop or Washington, DC office, with a minimum of six days per month in the office. Remote candidates may also be considered.

Qualified applicants must be U.S. citizens due to security clearance requirements for projects. 

Education and Certifications: 

• Bachelor’s degree in computer science, Information Technology, or a related field (or equivalent years of experience). 

• Professional certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or similar certifications. 

General Experience: 

• Minimum of 4 years of experience in information security roles, emphasizing security architecture and engineering solutions. 

• Proven experience in performing network penetration testing, vulnerability scans, and configuration analysis. 

• Experience overseeing project penetration testing activities. 

• Preferred experience as an ISO for federal programs and projects. 

• Experience coordinating communications across vendors, internal stakeholders, and program owners. 

• Experience using CSAM 

ATO Experience: 

• In-depth knowledge and experience guiding information systems through the Authorization to Operate (ATO) process:  

• Proficient in navigating the complex landscape of ATO processes, demonstrating a successful track record in obtaining authorizations for information systems 

• Extensive knowledge of the steps involved in the ATO process, ensuring compliance with government regulations and standards, including NIST Special Publications and FISMA 

• A proven ability to streamline and expedite ATO timelines without compromising security standards, showcasing efficiency in documentation and regulatory adherence 

• Expertise in developing and presenting comprehensive ATO documentation, including System Security Plans, to accrediting authorities and other relevant stakeholders 

• Demonstrated skill in addressing and mitigating security risks identified during the ATO process, ensuring the secure operation of systems in various environments 

• Exceptional communication skills to articulate ATO requirements, progress, and challenges to both technical and non-technical stakeholders, fostering collaboration and understanding. 

Risk Management Experience: 

• Demonstrated experience in developing threat models and security risk assessments. 

• Ability to recommend mitigations and countermeasures to address identified risks, vulnerabilities, and threats. 

• Experience conducting incident response across vendors, internal stakeholders, and program owners, including implementing, and coordinating the response plan, overseeing the technical response, and coordinating with legal, technical, and communications teams. 

Compliance and Documentation: 

• Thorough understanding and experience with government regulations and standards related to information security. 

• In-depth knowledge of security compliance checks and the ability to perform audit activities. 

• Experience in reviewing and validating security documentation, including system security requirements definition and System Security Plans. 

• Experience conducting penetration testing across multiple vendors, contractors, and consultants that meet stringent client requirements. 

Communication and Guidance: 

• Strong communication skills with the ability to guide NORC customers on information security policies and regulations. 

• Ability to effectively communicate complex security concepts to both technical and non-technical stakeholders.

• Generously subsidized health insurance, effective on the first day of employment 

• Dental and vision insurance  

• A defined contribution retirement program, along with a separate voluntary 403(b) retirement program  

• Group life insurance, long-term and short-term disability insurance 

• Benefits that promote work/life balance, including generous paid time off, holidays; paid parental leave, bereavement leave, tuition assistance, and an Employee Assistance Program (EAP).