GRC Analyst / Information Security

Position Summary The Information Security Analyst is responsible for independently executing and supporting key components of MCPC’s security, risk, and compliance program. This role reviews the organization’s systems, facilities, processes, and departments to assess security posture and reduce risk across operations, systems, networks, data, and the endpoint lifecycle supply chain. This position plays an active role in internal audits, policy development, risk management, access governance, and third‑party risk management. The Information Security Analyst partners closely with IT, Operations, and business stakeholders and directly supports MCPC’s commitment to protecting client data and maintaining trust by ensuring the confidentiality, integrity, and availability of information assets and services. Responsibilities Security Operations & Risk Management Identify, document, and assess security events, risks, and vulnerabilities, including defining remediation recommendations and tracking action plans to closure. Perform vulnerability and risk assessments and work with IT teams to drive remediation efforts, access reviews, and system hardening activities. Monitor security alerts and events, contributing to the ongoing tuning and improvement of DLP, SIEM, SOAR, and EDR detections. Evaluate emerging security threats and vulnerabilities and assess the effectiveness of existing security controls. Support secure adoption of new technologies, including Artificial Intelligence solutions, by identifying risks and recommending appropriate safeguards. Audits, Compliance & Policy Plan and execute internal security audits of MCPC systems, processes, and facilities to identify control gaps, risks, and improvement opportunities. Draft, review, and maintain information security policies, standards, and procedures aligned with industry best practices and regulatory requirements. Act as a primary security point of contact for MCPC employees and external parties during audits, assessments, and security reviews. Monitor and report on compliance with security awareness initiatives, phishing simulations, and related training programs. Maintain and enhance MCPC’s risk register, including risk analysis, prioritization, mitigation strategies, and progress tracking. Vendor & Supply Chain Risk Management Conduct security risk assessments for vendors and partners during onboarding and throughout the vendor lifecycle. Evaluate third‑party security controls, documentation, and attestations to identify and document risk. Monitor vendors and partners for reported security incidents, events, and supply chain risks. Support vendor risk management activities related to endpoint lifecycle management, IT asset management (ITAM), and IT asset disposition (ITAD) services. Incident Response & Resilience Maintain, document, and participate in testing of Incident Response, Disaster Recovery, and Business Continuity plans. Participate in security incident response activities, including investigation, coordination, documentation, and post‑incident reviews. Provide recommendations to improve incident response readiness and operational resilience. Program & Administrative Support Collaborate with internal departments to ensure security requirements are embedded into operational and business processes. Lead or contribute to security working sessions and document meeting agendas, decisions, and action items. Contribute to continuous improvement initiatives across the MCPC Security Program. Other tasks as assigned. Key Outcomes of this Position The continuous improvement of MCPC’s Security Program. Be a member of a skilled, engaged, and forward‑looking security team. Reduction in delta between vulnerability discovery and remediation. Measurable increase in items analyzed in MCPC’s risk register. Required Qualifications 2–5 years of experience in Information Security, Risk Management, Compliance, Internal Audit, or Security Operations. Bachelor’s degree in Information Security, Information Technology, Computer Science, or a related field, or equivalent professional experience. Working knowledge of: Entra ID / Active Directory SCCM / MECM / Intune Patch and endpoint lifecycle management CVSS vulnerability scoring and remediation prioritization Data disposition standards such as NIST 800‑88 and NAID AAA Experience working with industry security frameworks such as AICPA SOC 2, ISO 27001, NIST, and CIS. Strong written communication skills for audit reporting, policy drafting, and risk documentation. Ability to communicate security concepts effectively to both technical and non‑technical audiences. Proven ability to work independently and cross‑functionally with IT, Operations, and business teams. Preferred Qualifications: Experience leading or independently executing internal security audits or assessments. Hands‑on experience with third‑party risk management programs. Professional certifications such as Security+, Azure Fundamentals, CRISC, CISA, or similar. Physical Requirements The physical requirements include frequent sitting, occasionally walking, carrying light objects, grasping, reaching, rare stooping/crouching, clarity of vision, speaking, and listening ability with or without accommodation. Ability to occasionally drive or travel to MCPC satellite offices in the Greater Cleveland Area, Grand Rapids Michigan, Erie PA, and Kansas City MO, and other facilities. Benefits & Appreciation 401(k) matching and ROTH option. Company–sponsored events (picnics, cookouts, volunteering opportunities). Competitive medical, dental, and vision package. Company paid holidays and paid time off. Career paths and advancement. This job description in no way states or implies that these are the only duties to be performed by the employee occupying this position. Employees will be required to follow any other job‑related instructions and to perform other job‑related duties requested by their supervisor. Salary Range: $62,000 - $75,000 Posted: Tuesday, April 28, 2026 Job #: 392 #J-18808-Ljbffr