IT Risk & Compliance Analyst

Trinity Church NYC • New York, NY, US • 9h ago

Position Summary:

The IT Risk & Compliance Analyst plays a critical role in safeguarding Trinity’s technology environment by managing cybersecurity risk, regulatory compliance, and business continuity programs. In addition to ensuring compliance with standards such as PCI DSS and overseeing disaster recovery planning, this role monitors Trinity’s IT environment for emerging cyber threats and coordinates incident response efforts.

As a hybrid security and compliance role, the Analyst supports the development and enforcement of security policies, manages security assessments and remediation, and maintains documentation for internal governance and external audits. The role also provides hands-on technical oversight of log reviews, vulnerability scans, and threat monitoring activities. By promoting a security-aware culture and enabling continuous improvement, the IT Risk & Compliance Analyst strengthens the organization’s resilience and readiness in the face of evolving threats.

The annual salary range for this position is $126,100 to $157,900.

Essential Duties and Responsibilities:

Governance

Develop and coordinates vendor risk management frameworks, policies and processes within a broader enterprise, operational and IT risk management model.
Compile metrics for reporting threats, risks, and success of operating controls to leadership.
Coordinate creation, approval, maintenance and updating of security policies.
Coordinate periodic access reviews.

Risk Management

Develop and maintain a methodology to identify and prioritize internal and external threats, quantify the risk to the organization, and recommend methods to mitigate or remediate risk. Work with risk owners to develop appropriate risk response plans; monitor plans to closure.
Develop and maintain a risk register. Coordinate periodic management reviews and manage exception requests.
Research emerging threats and vulnerabilities to aid in the identification of network incidents.

Third-Party Risk Management

Coordinate management of vendor, supplier and other third-party risk.
Facilitate assessments of new and existing third-parties. Evaluate statements of work from partners to ensure that adequate security protections are in place. Assess provider documentation (e.g., security assessment questionnaire responses, SOC 1 or SOC 2 audit reports, or other sources).
As risks are identified, report risks to management and vendor management teams; work with third-parties to develop appropriate risk response plans; and monitor plans to closure.

Security Awareness and Training

Coordinate, maintain and continuously improve security awareness and role-based security training programs, to mitigate human risks.
Educate stakeholders on cybersecurity-related matters to increase awareness and improve culture.
Create and coordinate plans for role-based security training.

Audit and Compliance

Work with Legal to maintain an understanding of internal and external regulatory compliance requirements.
Assist in responding to findings from external audits, penetration tests and vulnerability assessments.
Conduct security control gap assessments of internal systems, third-party and internally-developed applications, and IT infrastructure. Work with technical teams as they develop remediation plans and track approved plans to completion.

Security Monitoring and Incident Response

Serve as the designated backup Incident Manager when the primary manager is unavailable. Lead the end to end response to security incidents, coordinating with external partners as needed (such as cyber insurance carriers, digital forensics teams, and root cause analysis specialists). When activated, initiate and direct the security incident response process and exercise decision making authority within the scope of the role to ensure timely and effective resolution.

Required Knowledge, Skills, and Activities:

Strong understanding of IT risk frameworks, compliance requirements, and security standards (e.g., PCI DSS, NIST, ISO 27001).
Experience supporting internal audits, managing risk registers, and working with external compliance assessors.
Excellent communication and interpersonal skills with both technical and non-technical stakeholders.
Highly organized with attention to detail, especially in documenting controls and producing reports.
Knowledge of disaster recovery planning and operational resilience practices.
Strong communications and interpersonal skills with a customer-service orientation, including listening, written, and verbal communication
Strong informal or formal project management skills with a proven history of getting projects done and meeting project goals utilizing teams
Familiarity with threat detection platforms, endpoint security, vulnerability scanning tools, and log analysis.
Ability to conduct root cause analysis and support containment, eradication, and recovery efforts.
Strong ability to effectively prioritize work
Must be able to work independently
Distinctive blend of business, IT, financial and communication skills, because this is a highly visible position with substantial impact
Knowledge of project management methodology and experience or familiarity with major, defined program management approaches.
Knowledge of project planning/scheduling tools, with a solid track record of practical application.
Effective influencing and negotiating skills in an environment in which this role may not directly control resources
Strong knowledge and understanding of business needs, with the ability to establish and maintain a high level of customer trust and confidence
Ability to communicate ideas in both technical and user-friendly language.
Good analytical and problem-solving abilities.
Highly self-motivated and directed.
Experience working in a team-oriented, collaborative environment.
Additional working hours as required

Required and Preferred Education, Experience, and Credentials:

Required

Candidates will be evaluated primarily upon their ability to demonstrate the competencies required to be successful in the role, as described above. For reference, the typical work experience and educational background of candidates in this role are as follows:

Bachelor’s degree in Cybersecurity, Information Systems, or a related field, or equivalent experience.
Minimum 3-5 years of experience in IT risk management, information security, cybersecurity operations, or IT audit.
Experience supporting disaster recovery planning and regulatory compliance efforts.

Preferred

Background in security architecture is a plus.
Preferred certifications: CISA, CRISC, CISSP, or equivalent.

Equal Opportunity Employer

This employer is required to notify all applicants of their rights pursuant to federal employment laws.
For further information, please review the Know Your Rights notice from the Department of Labor.