Information Security Risk Analyst (GRC) - Hybrid (PA/NJ/DE)

IBX is seeking an experienced Information Security Risk Analyst to be the primary owner of cybersecurity risk assessments and our enterprise cyber risk register. You’ll collaborate with ISOGRC and Security Operations to identify, assess, and monitor risks; map them to controls; design and execute regular effectiveness testing; and provide clear, actionable reporting on our risk posture to leadership. You will also drive the project risk assessment process end-to-end, working closely with the Project Management Office to keep initiatives moving while ensuring risks are mitigated and documented.

This role is ideal for someone who thrives in a hands-on environment, can independently run a cyber risk management platform, and is comfortable partnering across audit, third-party risk, and security operations in a regulated healthcare environment.

What You’ll Do

• Own Project Risk Assessments: Intake project requests from the PMO, facilitate stakeholder meetings, perform risk analysis, document findings, recommend mitigations, and publish deliverables (risk assessment report, control requirements, sign-offs) to enable go/no-go decisions.
• Build & Manage the Risk Register: Establish and maintain an enterprise cyber risk register in LogicGate—define risk taxonomy, scoring methodology, control mapping, and treatment plans; track status and residual risk over time.
• Controls Testing & Assurance: Coordinate and perform control effectiveness reviews, define test plans/criteria, and report test results; partner with SecOps to implement corrective actions and continuous improvement.
• Risk Reporting & Governance: Produce dashboards and executive-level reporting on risk posture, trends, key risk indicators (KRIs), and control performance; prepare materials for governance forums and leadership briefings.
• Cross-Functional Collaboration: Work with Audit (SOC 2, HITRUST, external audits), Third-Party Risk (annual vendor assessments), Privileged Access Certification (bi-annual), and Access/Data Monitoring teams to ensure risk linkage and consistent control coverage.
• Methodology & Process Maturity: Define and refine risk assessment procedures, SLAs, and templates; contribute to NIST CSF maturity assessments and HIPAA Security Risk Assessments; support remediation tracking and verification.

Qualifications:

Required

• 1-3 years in cybersecurity risk management or information security with direct experience performing project/initiative risk assessments and managing risk registers.
• Strong knowledge of IT and security controls (identity/access, privileged access, change/configuration, vulnerability management, endpoint/network security, logging/monitoring, incident response).
• Hands-on experience with a GRC or risk management platform (e.g., LogicGate, Archer, OneTrust, ServiceNow GRC) including workflow design, risk scoring, and reporting.
• Familiarity with healthcare and regulated environments; practical understanding of frameworks and standards such as NIST CSF, HIPAA Security Rule, HITRUST, and SOC 2.
• Proven ability to translate technical risk into business-impact narratives and clear mitigation plans; excellent writing and stakeholder facilitation skills.
• Ability to operate independently, set priorities, and move multiple assessments to completion in a fast-paced environment.

Preferred

• Experience implementing LogicGate (risk taxonomy, controls library, workflows, dashboards).
• Exposure to third-party security risk assessments and integration of vendor risks into enterprise risk register.
• Experience with privileged access governance/certification and evidence collection.
• Certifications: CRISC, CISSP, CISM, CGEIT, HITRUST, CCSK (or equivalent).
• Experience with control testing and audit readiness (SOC 2/HITRUST) and developing KRIs/KPIs.