​This is a senior-level Cybersecurity Quality Assurance Analyst role focused on Independent Verification and Validation (IV&V) activities. The analyst ensures that all cybersecurity assessment products and risk documentation meet stringent technical, security, and quality standards, validating compliance against multiple federal and industry frameworks before customer delivery.

• ​Position Type: Senior Level (Implied by requirements).
• ​Experience Required: Seven or more years of relevant cybersecurity experience for senior level; five years in Information Security Governance, Risk, and Compliance (GRC); and three years in third-party cyber risk management.
• ​Focus: IV&V, quality control of assessment documentation, validation against NIST/ISO/SOC standards, and third-party/vendor risk assessment.
• ​Certifications (Mandatory): Must hold and provide proof of at least one of the following certifications: CISSP, CISA, CISM, CTPRP, or CTPRA.

​Responsibilities: Quality Control, Validation, and Documentation

​The analyst is the final checkpoint, ensuring assessment integrity, regulatory compliance, and process consistency across the assessment lifecycle.

• ​Documentation Review: Review cybersecurity assessment documentation for accuracy, completeness, and compliance.
• ​Technical Validation: Conduct independent verification and validation (IV&V) of technical findings and risk statements.
• ​Standards Assessment: Evaluate evidence against federal and industry standards, specifically validating compliance with ISO 27001, SOC 1 and SOC 2, and NIST standards.
• ​Third-Party Risk: Assess vendor cybersecurity risk and review third-party risk documentation, demonstrating experience assessing and mitigating risks associated with vendor relationships.
• ​Quality Assurance: Identify deficiencies or deviations from required quality and security standards. Provide feedback and guidance to assessment teams to maintain quality consistency.
• ​Auditing & Reporting: Maintain documentation, audit trails, and quality records. Support internal audit activities and prepare reports for management review.
• ​Process Improvement: Recommend enhancements to assessment processes and methodologies.

​Required Experience and Technical Expertise

​The role requires a high degree of specialization in GRC, risk mitigation, and specific federal assessment frameworks.

• ​Information Security GRC (5+ Years):
  • ​Expertise in writing technical and risk management reports.
  • ​Experience assessing and mitigating risks associated with vendor relationships and vendor control evaluations.
  • ​Technical understanding of cybersecurity concepts and working knowledge of ISO 27001, SOC 1 and SOC 2, NIST SP 800-53, and NIST SP 800-171.
  • ​Experience performing risk-based due diligence.
• ​Third Party Risk Management (3+ Years):
  • ​Experience evaluating third-party cyber risk.
  • ​Experience developing and implementing sustainable third-party cyber risk processes.
• ​Federal Experience: Experience conducting assessments using NIST SP 800-53 within a federal agency.
• ​Foundational Skills: Understanding of the Systems Development Life Cycle (SDLC) and its application to secure systems. Effective technical writing and documentation capabilities.
• ​Education & Certifications: Advanced degree preferred, with relevant experience/certifications substituting. Mandatory certification from the list (CISSP, CISA, CISM, CTPRP, or CTPRA).