Security Risk Analyst II

Hagerty

1d•Remote

About The Position

As a Security Risk Analyst II, you will be responsible for supporting the organization’s Governance, Risk & Compliance program with a primary focus on conducting and managing risk assessments within ServiceNow Integrated Risk Management (IRM). This role plays a key part in evaluating security and compliance risks across business units, ensuring alignment with frameworks such as ISO 27001, PCI, NYDFS, and regulatory requirements. The analyst will collaborate with technical and business stakeholders to assess risks, identify control gaps, track remediation, and support continuous improvement of the risk management lifecycle. Ready to get in the driver’s seat? Join us! What you’ll do Risk Assessment & Analysis Perform comprehensive security and compliance risk assessments using ServiceNow IRM Risk, Policy & Compliance, and Vendor Risk modules. Review and validate inherent and residual risk scoring, ensuring consistent application of risk methodologies. Evaluate control effectiveness using evidence, documentation, interviews, and technical data. Identify security risks, gaps, and vulnerabilities across processes, technologies, vendors, and applications. Document detailed findings, recommendations, and remediation plans. ServiceNow IRM Administration & Optimization Create, update, and manage risk records, assessments, workflows, indicators, and control attestations. Support enhancements to IRM processes, playbooks, and automation capabilities. Assist with platform data integrity, reporting, dashboards, and process optimization. Governance, Risk & Compliance Support Support ongoing compliance efforts aligned to ISO 27001, PCI, NYDFS, and other regulatory frameworks. Participate in internal and external audit readiness activities by gathering evidence, validating controls, and tracking requirements. Maintain documentation including policies, standards, risk methodology, and control libraries. Stakeholder Collaboration Work closely with business owners, security engineers, procurement, and IT teams to explain risks and required actions. Track remediation plans, validate closure, and assist teams in interpreting control obligations. Present risk findings and trends to GRC leadership and cross-functional teams. Reporting & Metrics Produce dashboards and risk reports from ServiceNow IRM for leadership review. Monitor KPIs and KRIs related to risk posture, control performance, and compliance obligations. This might describe you 2+ years of experience in GRC, information security, risk management, or compliance roles. Hands-on experience using ServiceNow IRM (Risk, Policy & Compliance, Vendor Risk, or Audit modules). Strong understanding of information security and GRC frameworks (ISO 27001, PCI, NYDFS and other regulatory frameworks). Experience conducting or supporting risk assessments for applications, processes, or technology. Ability to analyze complex security issues and communicate findings clearly to technical and non-technical stakeholders. Familiarity with security controls, vulnerability management, and audit concepts.

Requirements

2+ years of experience in GRC, information security, risk management, or compliance roles.
Hands-on experience using ServiceNow IRM (Risk, Policy & Compliance, Vendor Risk, or Audit modules).
Strong understanding of information security and GRC frameworks (ISO 27001, PCI, NYDFS and other regulatory frameworks).
Experience conducting or supporting risk assessments for applications, processes, or technology.
Ability to analyze complex security issues and communicate findings clearly to technical and non-technical stakeholders.
Familiarity with security controls, vulnerability management, and audit concepts.

Nice To Haves

Certifications such as Security+, CySA+, CCSK, CISA, CRISC, CGEIT, or ISO 27001 Lead Implementer/Auditor.
Experience with risk quantification models (e.g., FAIR) a plus.
Background supporting audits (ISO 27001, PCI, etc.).
Experience contributing to GRC process improvements or workflow automation.
Strong analytical and critical-thinking skills
Excellent written and verbal communication
Detail-oriented with strong documentation capabilities
Ability to manage multiple tasks and deadlines independently

Responsibilities

Perform comprehensive security and compliance risk assessments using ServiceNow IRM Risk, Policy & Compliance, and Vendor Risk modules.
Review and validate inherent and residual risk scoring, ensuring consistent application of risk methodologies.
Evaluate control effectiveness using evidence, documentation, interviews, and technical data.
Identify security risks, gaps, and vulnerabilities across processes, technologies, vendors, and applications.
Document detailed findings, recommendations, and remediation plans.
Create, update, and manage risk records, assessments, workflows, indicators, and control attestations.
Support enhancements to IRM processes, playbooks, and automation capabilities.
Assist with platform data integrity, reporting, dashboards, and process optimization.
Support ongoing compliance efforts aligned to ISO 27001, PCI, NYDFS, and other regulatory frameworks.
Participate in internal and external audit readiness activities by gathering evidence, validating controls, and tracking requirements.
Maintain documentation including policies, standards, risk methodology, and control libraries.
Work closely with business owners, security engineers, procurement, and IT teams to explain risks and required actions.
Track remediation plans, validate closure, and assist teams in interpreting control obligations.
Present risk findings and trends to GRC leadership and cross-functional teams.
Produce dashboards and risk reports from ServiceNow IRM for leadership review.
Monitor KPIs and KRIs related to risk posture, control performance, and compliance obligations.