The job title and term “risk analyst” is used by financial institution usually in terms is investments, managing portfolios, stocks, bonds and stuff like that.
In terms of security, “risk analyst” is not usually used unless it is “information security risk analyst” or “system security risk analyst”. Banks and other institutions like to through “information security risk analyst” around for job titles. I think its because financial organization REALLY understand risk down to formulas and equations.
An Information Security Risk Analyst might be expect to do some or all of the following:
- Following Certification: CISA or CISM or CISSP
- Support Senior Analyst day-to-day operations
- Ensure that requirements of the Information Security Policy done
- Protect the confidential information of vendors, customers and third party organizations
- Conduct risk assessments (using risk register or risk matrix)
- Audit the security controls of systems
- risk advisories and continuous (ongoing) monitoring.
- Identifying trends in contractual reviews, risk assessments and due diligence; propose process modifications or policy changes as appropriate.
- An understanding of the requirements of the Gramm-Leach-Bliley Act (GLBA) and state privacy laws regarding the protection of customer information
- Excellent written and oral communication skills.
- An undergraduate degree
As you can see, these tasks are very similar to what we do in DIARMF, DIACAP, Risk Management Framework and Certification and Accreditation. The Financial/Bank sector just uses different terms and are subject to different federal laws.
You may also see:
- IT Risk Management Analyst
- Compliance Analyst/IT Risk Management Analyst
- Information Security & Risk Analyst
- Information Security Senior Analyst
All these positions do roughly the same thing, some variation of Risk Management Framework which in a single sentence is: Continuously monitor, mitigate and manage risk by finding and minimizing vulnerabilities in the organizations information systems.