IT Security Risk and Compliance Analyst - Hybrid - 139800

Position Title IT Security Risk and Compliance Analyst Department Information Services Location Towne Centre Drive, San Diego, CA (Hybrid) Appointment Type Career, 100% Full-time Salary $105,000 - $132,000 per year Application Deadline Thu 6/11/2026 Job Summary The IT Security Risk and Compliance Analyst executes processes across the organization to conduct the required IT security risk assessment and compliance program to reduce information security risk, address threats and vulnerabilities to information assets, monitor compliance to policy, and improve the overall security posture of the University. The role performs security risk assessments and internal security audits/reviews, supports external audits and accreditation activities, and operates the governance components of the vulnerability management program, including vulnerability analysis, risk‑based prioritization, remediation tracking, validation of remediation effectiveness, and documentation of risk acceptance when remediation is deferred. The analyst provides recommendations for security controls and ensures follow‑through through established governance processes to meet campus policy and regulatory requirements such as HIPAA, PCI, FERPA, and related standards. The incumbent maintains audit‑ready decision records and evidence artifacts that support internal and external audits, regulatory oversight, and legally mandated information requests, including documentation of risk assessments, vulnerability decisions, compensating controls, governance approvals, secure handling of sensitive data, access constraints, and defensible evidence production for legal hold and eDiscovery matters. Minimum Qualifications Seven (7) years of related experience, education/training, or a Bachelor’s degree in a related area plus three (3) years of related experience/training in security risk assessments and/or internal security reviews that ensure security controls meet policy and/or regulatory requirements. Ability to follow department processes and procedures. Interpersonal skills sufficient to work effectively with both technical and non‑technical personnel at various levels in the organization. Experience using IT security systems and tools. Knowledge of data encryption techniques. Knowledge of other areas of IT, department processes, and procedures. Demonstrated skills applying security controls to computer software and hardware. Experience in incident response and digital forensics, including data collection, examination, and analysis. Demonstrated skill at administering complex security controls and configurations to computer hardware, software, and networks. Knowledge of computer hardware, software and network security issues and approaches. Demonstrated experience selecting and applying appropriate data encryption technologies. Preferred Qualifications Exposure to vulnerability management programs, including risk‑based prioritization, remediation tracking, validation of remediation effectiveness, and documentation of risk acceptance. Ability to apply security risk assessment practices to third‑party/vendor reviews, including evaluation of evidence, identification of risks, and documentation of findings and conditions. Familiarity with legal hold and eDiscovery workflows, including secure handling of sensitive exports and defensible evidence production. Familiarity with external security audits/accreditations and internal security audit/review processes. Comfort operating in regulated environments (healthcare and/or research) with applicable compliance drivers (e.g., HIPAA, PCI, FERPA, campus policy requirements). Skilled in documenting risk exceptions/acceptances, compensating controls, and governance routing/approvals. Strong cross‑functional advisory skills with technical and non‑technical stakeholders. Special Conditions Must be able to work various hours and locations based on business needs. Employment is subject to a criminal background check and pre‑employment physical. Misconduct Disclosure Requirement As a condition of employment, the final candidate who accepts an offer of employment will be required to disclose if they have been subject to any final administrative or judicial decisions within the last seven years determining that they committed any misconduct; or have filed an appeal of a finding of substantiated misconduct with a previous employer. “Misconduct” means any violation of the policies governing employee conduct at the applicant’s previous place of employment, including, but not limited to, violations of policies prohibiting sexual harassment, sexual assault, or other forms of harassment, or discrimination, as defined by the employer. UC Sexual Violence and Sexual Harassment Policy UC Anti‑Discrimination Policy Abusive Conduct in the Workplace Equal Opportunity Statement The University of California is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, age, protected veteran status, or other protected status under state or federal law. For more information about the University’s Anti‑Discrimination Policy, visit #J-18808-Ljbffr UC San Diego Health