RISK AND SECURITY ANALYST - EDP III

FY26-004
About the Office of the Comptroller
The Office of the Comptroller ensures that the more than $50 billion in annual transactions authorized by the general appropriations act and supplemental appropriations are executed in accordance with all statutory requirements and recorded in compliance with accounting standards. We also oversee capital assets, federal funding inflows, and other transactions. We also own and maintain statewide payments and payroll systems, safeguarding critical financial information. We operate in support of our partners, the financial staff at more than 150 departments and agencies across the Commonwealth.
As stewards of the public trust, CTR aspires to inspire confidence by maintaining our core principles: clarity, integrity, and accountability.
The powers and obligations of the Office of the Comptroller are generally dictated by M.G.L. c. 7A.
Position Summary
The Office of the Comptroller is seeking a Risk and Security Analyst position assigned to the Statewide Risk Management and Compliance Team (SRMT). The position reports to the Assistant Comptroller for Risk and Compliance. This position is responsible for enterprise system access management and a variety of departmental reviews to determine compliance by over 150+ Commonwealth departments with internal controls, state finance law, and Comptroller regulations and policies. Additionally, this position will apply technical knowledge and skills to assess and mitigate risks related to CTR systems The ability to mine data from the Commonwealth’s Enterprise systems, to analyze, report on and draw conclusions from that data are key skills of the job.
Strong analytical, communication and presentation skills, along with experience writing reports and recommendations are critical skills for the successful candidate. This position requires a self-starter with capabilities and attributes which include the following: attention to detail; superior time management and solid multitasking skills; ability to contribute and work productively as part of a team; positive attitude; capacity to remain flexible and learn new accounting, auditing and technical standards as necessary; and the ability to work well under pressure.

Specific Duties:

• Support SRMCT Security Team with statewide enterprise system(s) access requests as additional resource
• Lead the semi-annual statewide Department Security Access review and approval process
• Perform data analysis and risk assessments of state departments:
• Security roles usage, compliance and access
• Risk ratings for overall compliance with Comptroller polices, regulations and state finance law
• Provide technical assistance and advice to Department Security Officers (DSO) on enterprise security access management, and provide advice and assistance to departments on other internal controls and compliance issues
• Serve as an analyst for the statewide Internal Control Certification (ICC) – (formerly the Internal Control Questionnaire) and sampling statewide queries for other desk reviews
• Participate in department ICC interviews, desk reviews and virtual and on-site visits
• Conduct training and retraining of Department Security Officers (DSOs)
• Maintain updated Security Access Management Guides for enterprise systems (including MMARS and HRCMS)
• To effectively assess risks, monitor compliance and the effectiveness of robust internal controls, maintain knowledge and understanding of how information systems operate, including software, hardware, and networks
• Assist with internal training of Comptroller employees on the relationship of department devices (laptops, cell phones, etc.) and fraud awareness/phishing training

• Review Commonwealth departments’ written systems of internal controls and provide technical assistance and advice to departments on internal controls

• Participate in Incident Responses – protecting enterprise systems, aiding departments with internal control advice, tracking tasks and disabling and restoring enterprise security access roles

• Assist with data analytics and review of samples for department desk reviews to determine compliance with state finance law and Comptroller policies and regulations
• Assist SRMCT in review and support of security access, internal controls, IT and Single Audit, cybersecurity and compliance as assigned
• Remain current on CTR oversight policies
• All employees of CTR may be asked to engage in other assignments on an as needed basis

Bargaining Unit / Salary Range NAGE Unit 6 / Grade 14: $ 77,289.16 - $ 113,024.34
As per the Unit 6 Collective Bargaining Agreement between the Commonwealth of Massachusetts and the National Association of Government Employees the range is based upon a series of steps. Any potential offer is determined based upon an analysis of the minimum entrance requirements, the candidate’s relevant work experience and educational achievement level.

REQUIRED QUALIFICATIONS

• General knowledge of working in enterprise systems like MMARS, HRCMS, and CIW, or other state government systems
• Ability to work both independently and in a team setting
• Proficiency in assessing the impact of regulations and legislation on business functions
• Ability to perform accurate and timely research
• Skilled in the presentation of information through data analysis and interpretation
• Provide solid and informed advice and recommendations
• Ability to develop relationships with the operational and management teams at external agencies, partners or clients including with colleagues within the various Business Units of a complex organization
• Proficiency with Microsoft Office 365 tools
• Commitment to the Office of the Comptroller’s core values of innovation, transparency, integrity, accountability, collaboration, excellence and customer service
  Minimum Entrance Requirements
  Applicants must have at least (A) four years of full-time, or equivalent part-time, professional experience in electronic data processing of which (B) at least two years must have been in work in which the
  major duties included computer systems analysis, or (C) any equivalent combination of the required experience and the substitutions below.

• Support SRMCT Security Team with statewide enterprise system(s) access requests as additional resource
• Lead the semi-annual statewide Department Security Access review and approval process
• Perform data analysis and risk assessments of state departments:
• Security roles usage, compliance and access
• Risk ratings for overall compliance with Comptroller polices, regulations and state finance law
• Provide technical assistance and advice to Department Security Officers (DSO) on enterprise security access management, and provide advice and assistance to departments on other internal controls and compliance issues
• Serve as an analyst for the statewide Internal Control Certification (ICC) – (formerly the Internal Control Questionnaire) and sampling statewide queries for other desk reviews
• Participate in department ICC interviews, desk reviews and virtual and on-site visits
• Conduct training and retraining of Department Security Officers (DSOs)
• Maintain updated Security Access Management Guides for enterprise systems (including MMARS and HRCMS)
• To effectively assess risks, monitor compliance and the effectiveness of robust internal controls, maintain knowledge and understanding of how information systems operate, including software, hardware, and networks
• Assist with internal training of Comptroller employees on the relationship of department devices (laptops, cell phones, etc.) and fraud awareness/phishing training
• Review Commonwealth departments’ written systems of internal controls and provide technical assistance and advice to departments on internal control