Job Overview


PHEAA is seeking two IT Security Risk, Policy and Control Analysts.  These position are responsible for participating and contributing in all aspects of PHEAA’s Information Technology (IT) Security Risk, Policy, and Controls program.  This includes providing Governance, Risk, and Compliance (GRC) monitoring and review of security policies and procedures for alignment with current industry, contractual, and agency requirements; providing documentation and updates to security policies and procedures; reviewing and revising security training initiatives; and performance of security risk assessments.  Additional core responsibilities include providing coordination for IT and security audits; maintenance of audit-related security documentation; researching, processing, and reporting on security incidents; and assisting with Business Continuity Planning (BCP) administration.  This position performs at a moderate level of complexity with a high level of proficiency under general supervision. 



Job Responsibilities

Security Governance, Risk, and Compliance

  • Provide governance by monitoring and reviewing the administration and content of security policies and procedures, federal documentation to include the System Security Plan, Incident Response Plan, and other standard security documentation following best practices and security frameworks to include NIST, COBIT, ISO, and SANS.
  • Provide input for Information Security Policies that adheres to state and federal regulations.
  • Research, process, and report on agency security incidents.  Drive governance of agency incident response management by working with business unit, legal and compliance resources to provide timely notification and escalation.
  • Perform root cause analysis for security incidents in support of remediation and prevention efforts.
  • Coordinate internal, client, and regulatory IT and Security audits.  Meet with representatives and subject matter experts to facilitate reviews.
  • Organize materials and provide quality assurance inspections of documentation (evidence and responses) to ensure compliance with current IT and security activities.
  • Maintain knowledge of system processes necessary to coordinate responses and interviews with subject matter experts.
  • Maintain knowledge of security program to enable providing overviews of policies, controls, BCP/DR, incident response, risk, and overall security practices and processes.
  • Develops reports regarding audit results, audit tracking, and remediation and actions taken to improve results.

Risk Management

  • Perform risk management assessments and develop risk management methodologies utilizing PHEAA’s IT GRC tools and risk management platforms.
  • Assist with completion of regulatory and compliance assessments including SSAE 18, FFIEC Cybersecurity Toolkit, NIST Cybersecurity Framework, and related benchmarks.
  • Maintain and review the Enterprise Security Office security risk registry.  Maintain risk remediation-tracking documents and manage remediation timelines.
  • Provide governance of risk management by ensuring organizational frequencies of risk assessment and reporting.
  • Coordinate completion of required risk self-assessments and support risk management efforts in support of the agency’s contractual obligations and federal authority to operate (ATO).

Analysis and Documentation

  • Provide guidance on the controls necessary to protect sensitive data and achieve regulatory compliance.
  • Provide documentation including procedures for all areas of PHEAA’s Security Risk, Policy, and Controls, Governance, Risk and Compliance, and Risk Management programs.
  • Analyze processes and provide recommendations for improvements.
  • Review and update required security training for delivery via PHEAA’s Learning Management System.


  • Assist with administration and testing of PHEAA’s Enterprise Business Continuity Program (EBCP).
  • Assist PHEAA Privacy Office with analysis of agency privacy practices and procedures.
  • Representative for the Enterprise Security Office when requested on agency Compliance, Audit, Risk, and Quality (CARQ) committees.



Job Qualifications

Bachelor’s degree in computer science or information security, two or more years of information security or audit work experience or the equivalent combination of skills, experience and/or certifications.

  • Demonstrated ability to challenge the status quo, identify issues, and provide viable suggestions to improve.
  • Proven excellent writing skills including the ability to proof read for proper language and grammar, and editorial tasks.
  • Demonstrated effective skills with time management, organization and prioritization.
  • Possess a high level of integrity and ethics.
  • Strong attention to detail.
  • Ability to analyze complex information (e.g. probe, examine, and scrutinize).
  • Desire and ability to obtain or possession of ISACA’s Certified Information Systems Auditor (CISA) or other relevant security certification(s).
  • Proficient in Microsoft Office Suite.


  • Occasional weekend or off shift work to include overnight travel may be required.

Employee Benefits

Candidates will enjoy our comprehensive total rewards program offering Pennsylvania Employees Benefit Trust Fund (PEBTF) health/dental insurance and defined benefit plan, as well as life insurance, flexible spending accounts, tuition reimbursement, participation in a deferred compensation program, and generous paid vacations and holidays.

About Us

Created in 1963 by the Pennsylvania General Assembly, the Pennsylvania Higher Education Assistance Agency (PHEAA) has evolved into one of the nation's leading student aid organizations. Today, PHEAA is a national provider of student financial aid services, serving millions of students and thousands of schools through its loan guaranty, loan servicing, financial aid processing, outreach, and other student aid programs.

PHEAA's earnings are used to support its public service mission and to pay its operating costs, including administration of the Pennsylvania State Grant and other state-funded student aid programs. PHEAA continues to devote its energy, resources, and imagination to developing innovative ways to ease the financial burden of higher education for students, families, schools, and taxpayers.

PHEAA conducts its student loan servicing activities nationally as American Education Services (AES) and FedLoan Servicing (FLS). #LI-BS!  #Dice

 PHEAA is an Equal Opportunity Employer