MongoDB Information Risk Analyst - 

United States 

689319035

The Information Risk Analyst plays a critical role in supporting the information risk management strategy within the Governance, Risk, and Compliance (GRC) function. This role is responsible for performing comprehensive risk assessments, supporting the design and implementation of risk management strategies, and driving continuous improvement in the organization’s risk posture.

• Perform qualitative and quantitative risk analysis for systems, applications, business processes, vendors, and organizational changes.
• Lead risk assessments across various sources, including but not limited to:
• Information security
• Third-party/vendor risk
• Regulatory and compliance driven audit gap assessments and findings (eg: ISO27001, NIST CSF, SOC 2, ISO9001, HDS, PCI, etc)
• Findings from internal assessments, security incidents, vulnerability scans, penetration tests, business continuity and disaster recovery (BC/DR) findings, and other sources
• Apply standardized methodologies and frameworks (e.g., FAIR, NIST, ISO) to determine risk severity and potential impact

• Collaborate with stakeholders to develop and document risk treatment plans, mitigation strategies, and timelines
• Track and monitor remediation progress, escalate overdue or high-risk items, and validate closure of risk items
• Continuous and effective maintenance and enhancement of the risk register and GRC tools with accurate, timely, and complete risk data.
• Provide consultation on control effectiveness and risk mitigation best practices

• Support the maturation of the Information Risk Management program by contributing to
• The development & maintenance of policies, procedures, standards, and templates
• Supporting automation and improvement of assessment and reporting strategy
• Design and launch of continuous risk assessment processes
• Assist in onboarding and educating stakeholders on risk processes and responsibilities
• Contribute to the development and delivery of risk reporting and dashboards for senior leadership and governance bodies

• Become an effective part of the trusted advisory team, to technical and non-technical stakeholders by providing risk guidance that is aligned to business objectives
• Facilitate risk discussions and presentations for across various levels of leadership, stakeholders, and executive reporting groups
• Support awareness and training initiatives that strengthen the organization's risk culture

• Bachelor’s or Master’s degree in Information Security, Information Systems, Risk Management, or a related field
• 3–5 years of hands-on experience in information risk, security assessment, compliance, or related functions
• Strong understanding of risk frameworks (NIST RMF, ISO 27005, FAIR, etc.) and control standards (ISO 27001, NIST 800-53, CIS, etc.)
• Experience with GRC platforms (e.g. ServiceNow, JIRA, Auditboard, etc)
• Excellent analytical, writing, and communication skills, with the ability to synthesize technical details into executive-level summaries
• Demonstrated ability to communicate complex risk and security concepts clearly and effectively to senior leadership and non-technical stakeholders
• Proven ability to work independently and manage multiple priorities in a fast-paced environment
• Experience in reviewing and understanding of cloud environments (AWS, Azure, GCP) and associated risk considerations

• Professional certifications such as Security Plus, CRISC, CISSP, CISA, or CISM
• Experienced in implementing the FAIR (Factor Analysis of Information Risk) model, including risk quantification, data calibration, and integration with technical risk assessment processes and tools or a similar methodology
• Experience supporting internal or external audits
• Familiarity with regulatory requirements (e.g., GDPR, DORA, HIPAA, SOX, PCI, ISO27001, ISO9001, FedRAMP)

The Information Risk Analyst will be successful in this role when they can execute the following strategic tasks:

• People:
• Collaborate with leads to understand our customer's risk requests and necessary issues/gaps to address
• Proposes and implements improvements regularly that streamline risk intake, assessment, or reporting functions of the program once onboarded successfully
• Organization:
• Ability to support multiple parallel efforts and prioritize tasks based upon understanding of team needs
• Produce clear, complete, and actionable risk reports with minimal revisions required from reviewers or management
• Risk statements consistently meet internal standards (ex: well-scoped, impact/loss scenarios defined, likelihood assessed)
• Demonstrates consistent application of organization's risk scoring methodology with minimal deviation upon peer or leadership review
• Tracks and follows up on risk remediation plans to ensure items have an upto date status, appropriate ownership identified, and justification documented and verified
• Supports timely risk management decisions, which can be tracked to measurable reduction in residual risk over time
• Communication:
• Successfully communicate recommendations and rationale to both technical and non-technical stakeholders
• Maintains strong working relationships across technical and non-technical stakeholders; receives positive feedback in stakeholder surveys or project retrospectives
• Facilitates risk discussions with cross-functional teams effectively
• Prepares evidence and documentation for internal/external audits with no major findings attributable to risk assessment processes
• Research:
• Gather and analyze feedback from internal stakeholders and develop pragmatic recommendations with respect to information risk initiatives
• Customer Service:
• Ensure MongoDB’s GRC Program operates efficiently with minimal interruption to MongoDB teams. Provide great risk related services (ex: risk assessments, remediation discussions, reporting, data collection and analysis) when interfacing with other MongoDB Teams
• Delivers or supports internal training, effective knowledge transfer sessions or onboarding as required to support program growth, risk awareness, and GRC maturity