Information Risk Analyst - GRC

Summary

Join MongoDB as an Information Risk Analyst and play a critical role in supporting the information risk management strategy within the Governance, Risk, and Compliance (GRC) function. You will perform comprehensive risk assessments, support the design and implementation of risk management strategies, and drive continuous improvement in the organization’s risk posture. Partner with IT, security, legal, and other business stakeholders to identify, assess, and manage risks related to information security, technology, and business operations. This is a significant opportunity to help build out an internal GRC Program and scale MongoDB Inc. to support customer needs. The position offers significant growth potential and requires initiative and leadership. The role is expected to be remote, with the opportunity to work in the office as needed.

Requirements

• Bachelor’s or Master’s degree in Information Security, Information Systems, Risk Management, or a related field
• 3–5 years of hands-on experience in information risk, security assessment, compliance, or related functions
• Strong understanding of risk frameworks (NIST RMF, ISO 27005, FAIR, etc.) and control standards (ISO 27001, NIST 800-53, CIS, etc.)
• Experience with GRC platforms (e.g. ServiceNow, JIRA, Auditboard, etc)
• Excellent analytical, writing, and communication skills, with the ability to synthesize technical details into executive-level summaries
• Demonstrated ability to communicate complex risk and security concepts clearly and effectively to senior leadership and non-technical stakeholders
• Proven ability to work independently and manage multiple priorities in a fast-paced environment
• Experience in reviewing and understanding of cloud environments (AWS, Azure, GCP) and associated risk considerations

Responsibilities

• Perform qualitative and quantitative risk analysis for systems, applications, business processes, vendors, and organizational changes
• Lead risk assessments across various sources, including but not limited to: Information security, Third-party/vendor risk, Regulatory and compliance driven audit gap assessments and findings (eg: ISO27001, NIST CSF, SOC 2, ISO9001, HDS, PCI, etc), Findings from internal assessments, security incidents, vulnerability scans, penetration tests, business continuity and disaster recovery (BC/DR) findings, and other sources
• Apply standardized methodologies and frameworks (e.g., FAIR, NIST, ISO) to determine risk severity and potential impact
• Collaborate with stakeholders to develop and document risk treatment plans, mitigation strategies, and timelines
• Track and monitor remediation progress, escalate overdue or high-risk items, and validate closure of risk items
• Continuous and effective maintenance and enhancement of the risk register and GRC tools with accurate, timely, and complete risk data
• Provide consultation on control effectiveness and risk mitigation best practices
• Support the maturation of the Information Risk Management program by contributing to The development & maintenance of policies, procedures, standards, and templates
• Supporting automation and improvement of assessment and reporting strategy
• Design and launch of continuous risk assessment processes
• Assist in onboarding and educating stakeholders on risk processes and responsibilities
• Contribute to the development and delivery of risk reporting and dashboards for senior leadership and governance bodies
• Become an effective part of the trusted advisory team, to technical and non-technical stakeholders by providing risk guidance that is aligned to business objectives
• Facilitate risk discussions and presentations for across various levels of leadership, stakeholders, and executive reporting groups
• Support awareness and training initiatives that strengthen the organization's risk culture

Preferred Qualifications

• Professional certifications such as Security Plus, CRISC, CISSP, CISA, or CISM
• Experienced in implementing the FAIR (Factor Analysis of Information Risk) model, including risk quantification, data calibration, and integration with technical risk assessment processes and tools or a similar methodology
• Experience supporting internal or external audits
• Familiarity with regulatory requirements (e.g., GDPR, DORA, HIPAA, SOX, PCI, ISO27001, ISO9001, FedRAMP)

Benefits

• Flexible paid time off
• 20 weeks fully-paid gender-neutral parental leave
• Fertility and adoption assistance
• 401(k) plan
• Mental health counseling
• Access to transgender-inclusive health insurance coverage
• Health benefits offerings