IT – 18B_Office of Information Technology_OIT – Cyber Security Analyst 3 – ESA OIT ENT SECURITY ARCHITECTURE, ESA21 RISK MANAGEMENT – 18B 20260224_11707

Job Description

Any candidate scheduled for a Teams interview must have a current screenshot picture uploaded onto the interview request page in dotStaff. Photo IDs/passport, etc. will NOT be accepted. This should be a current screenshot from an interaction with the vendor. This now must be uploaded BEFORE you can accept the interview request and cannot be edited after the interview is accepted. This will need to be added when you accept the interview. This MUST be uploaded as a PDF file. Vendors MUST be present at the beginning of the interview to validate their candidate. If they are NOT, the manager is encouraged to cancel the interview.

Max Bill Rate: $75.00
HireRight Package: Standard Package B, Global ID, & CJIS Fingerprints
Work Location: 100% Remote. Manager will only consider candidates in the Eastern and Central time zones.
Bids can be over the Max Rate: No

Top Skills:
Strong understanding of cybersecurity principles, best practices, and control frameworks (e.g., NIST CSF, NIST 800-53).
Demonstrated ability to interpret SOC 2 Type II reports, ISO 27001 certifications, penetration test reports, and related third-party security documentation.
Experience conducting third-party, vendor, or technology risk assessments and identifying compensating controls.
Experience supporting or operating within a Third-Party Risk Management (TPRM) program.

Preferred Skills:
Working knowledge of Governance, Risk, and Compliance (GRC) platforms (e.g., Archer or similar tools)
Experience leveraging third-party risk monitoring tools (e.g., Black Kite)
Local, state, or federal government experience.

Job Description:
The Cyber Security Analyst III (CSA3) within the State’s Information Security Office (ISO) will be responsible for evaluating, analyzing, and assessing cybersecurity risks associated with new technologies, proposed solutions, and third-party vendors. This includes reviewing vendor security attestations, assessing architectural designs, validating security controls, and supporting statewide procurement decisions through structured risk assessments.

This role will also support the development and maturation of the State’s Third-Party Risk Management (TPRM) program, including the enhancement and operation of tools such as Black Kite. Additionally, the CSA3 will assist with evaluating cybersecurity waiver submissions requiring deeper technical analysis and will help maintain the statewide risk register to ensure tracking and remediation of risks that exceed the State’s risk tolerance.

KEY RESPONSIBILITIES:
New Technology & Solution Security Reviews:
Conduct security reviews for new technologies, cloud services, applications, and proposed solutions.
Review architectural diagrams to verify appropriate security controls, configurations, and data-protection mechanisms.
Assess alignment with State of Maine security requirements and applicable regulatory or compliance standards.
Develop and document risk assessments with actionable recommendations to support procurement and technology-adoption decisions.

Security Attestation & Third-Party Assessment:
Review and analyze third-party cybersecurity attestations, including SOC 2 Type II, ISO 27001 certifications, external penetration tests, and security questionnaires.
Identify control gaps, inherited risks, and areas requiring additional compensating controls.
Coordinate with procurement, legal, and business stakeholders during vendor onboarding and technology evaluation.

Third-Party Risk Management (TPRM) Program Support:
Assist in developing, enhancing, and maintaining the statewide TPRM program.
Leverage and operationalize TPRM tools, including Black Kite, to support ongoing monitoring, vendor tiering, and risk scoring.
Contribute to the creation of policies, processes, templates, and guidelines that mature the third-party risk-evaluation process.

Governance, Risk & Compliance (GRC) Platform Support (Archer IRM):
Utilize the Archer GRC platform to document risk assessments, waiver reviews, and remediation tracking activities.
Support the continued implementation and refinement of Archer workflows related to enterprise risk management.
Contribute to data quality, reporting accuracy, and process improvements to enhance risk visibility and governance maturity.

Waiver Review & Technical Risk Analysis:
Support the review of security waiver requests that require deeper technical analysis to evaluate risks of temporary control exceptions.
Document findings, risk impacts, and recommended mitigation strategies to inform risk acceptance decisions.

Risk Register Management & Remediation Tracking:
Assist in maintaining the statewide security risk register, ensuring risks are documented, categorized, and updated.
Track remediation progress and validate completion for risks that exceed established tolerance thresholds.
Collaborate with stakeholders to monitor deadlines, escalate overdue items, and verify mitigation plans remain effective.

MINIMUM QUALIFICATIONS:
Demonstrated experience in cybersecurity analysis, technology or architecture review, third-party or solution security evaluations, or related security-engineering activities. Familiarity with cybersecurity standards, control frameworks, and risk-management practices applicable to government environments is strongly desired.

KNOWLEDGES, SKILLS, AND ABILITIES REQUIRED:
Strong understanding of cybersecurity principles, best practices, and control frameworks (e.g., NIST CSF, NIST 800-53).
Demonstrated ability to interpret SOC 2 Type II reports, ISO 27001 certifications, penetration test reports, and related third-party security documentation.
Familiarity with architectural review processes, cloud security concepts, and secure design principles.
Experience conducting third-party, vendor, or technology risk assessments and identifying compensating controls.
Experience supporting or operating within a Third-Party Risk Management (TPRM) program.
Working knowledge of Governance, Risk, and Compliance (GRC) platforms (e.g., Archer or similar tools) is strongly preferred.
Experience leveraging third-party risk monitoring tools (e.g., Black Kite) or similar platforms is desirable.
Strong analytical, technical writing, and documentation skills with the ability to clearly communicate risk to both technical and non-technical stakeholders.
Ability to manage multiple concurrent assessments while meeting deadlines in a fast-paced environment.
Strong organizational skills, attention to detail, and sound professional judgment in evaluating and documenting risk.

OPPORTUNITY TO DEVELOP IN THE POSITION BY GAINING:
Advanced expertise in technology-security review and third-party risk governance.
Hands-on experience building and maturing risk-management processes and tooling for a statewide cybersecurity program.
Exposure to procurement-related security evaluations and cross-department collaboration.