What you'd actually do

Execute risk assessments under senior guidance - perform scoping, inherent risk scoring, control assessment, and residual risk calculation using established methodology

Conduct risk identification intake, manage the flow of requests from Jira Service Desk and the Issue Intake Tracker, review incoming submissions against entry criteria, assign Risk IDs, and replicate validated risks into the Risk Register

Act as the Triage Officer for incoming risk submissions, determine whether submissions represent strategic risks, operational issues, or duplicates. Filter noise to focus the team on signals

Develop risk scenarios for in-scope assets by working with asset owners and risk owners , identify threat communities, threat events, and impact categories

Draft Risk Assessment Memos that tell a cohesive story from risk statement to risk rating to actionable recommendation. Progressively build toward independently authored memos that require minimal review notes

Skills

Required

Experience performing risk assessments — including risk identification, inherent/residual risk scoring, and documentation of findings
Experience identifying, documenting, and evaluating controls — including assessment of design adequacy and operating effectiveness
Strong working knowledge of NIST CSF, NIST SP 800-30/39/53, and ISO/IEC 27005 — ability to use these frameworks as a library of controls and risk guidance
Advanced proficiency in Excel/Google Sheets (pivot tables, VLOOKUP, complex formulas) for risk data analysis and reporting
Jira proficiency — managing projects, creating workflows and dashboards, and using JQL
Ability to write clear, concise, and defensible Risk Assessment Memos

Nice to have

Progressively build the technical fluency to lead stakeholder conversations independently
Develop working proficiency in cloud-native architectures, SaaS security models, and common technical controls (IAM, encryption, network segmentation, logging/monitoring)

Description:

The Information Security Risk Analyst is the operational engine of the internal risk program. While the Senior IRM Analyst and Risk Director define the strategic roadmap, the Analyst ensures the daily execution of that strategy. They are responsible for the "production line" of risk assessment: taking raw signals from the business, processing them through the established methodology, and outputting actionable risk decisions (Remediation or Acceptance).

The ultimate objective of this role is Reduction of Uncertainty. By managing the program effectively, the IRM Analyst ensures that MongoDB’s leadership has a clear, quantified view of the top risks facing the enterprise. They transform the Risk Register from a static spreadsheet into a dynamic governance tool that drives accountability.

The IRM Analyst must not be afraid to be in the trenches with the Engineering and Product teams. They are the primary face of the "Risk Intake Process," guiding stakeholders through the methodology. They are the gatekeeper of quality, ensuring that no risk enters the register until it has been properly scoped and quantified.

Responsibilities:

Risk Identification & Assessment

Execute risk assessments under senior guidance - perform scoping, inherent risk scoring, control assessment, and residual risk calculation using established methodology
Conduct risk identification intake, manage the flow of requests from Jira Service Desk and the Issue Intake Tracker, review incoming submissions against entry criteria, assign Risk IDs, and replicate validated risks into the Risk Register
Act as the Triage Officer for incoming risk submissions, determine whether submissions represent strategic risks, operational issues, or duplicates. Filter noise to focus the team on signals
Develop risk scenarios for in-scope assets by working with asset owners and risk owners , identify threat communities, threat events, and impact categories
Draft Risk Assessment Memos that tell a cohesive story from risk statement to risk rating to actionable recommendation. Progressively build toward independently authored memos that require minimal review notes
Monitor and flag emerging risk signals , including AI-related risks (model integrity, data poisoning, shadow AI, third-party AI dependencies) , and escalate with documented analysis for integration into the risk framework

Control Identification, Mapping & Assessment

Identify and document controls that mitigate assessed risks , map controls to specific risk scenarios and applicable framework requirements (NIST SP 800-53, ISO 27001, SOC 2)
Assess the design adequacy of controls , evaluate whether each control is appropriately designed to address the risk it is mapped to, and document findings with supporting rationale
Assess the operating effectiveness of controls , collect and evaluate evidence to determine whether controls are functioning as designed over the assessment period, and document results
Document control gaps and support remediation tracking , maintain clear records of where controls are missing, partially effective, or require compensating controls. Track remediation progress
Maintain control-to-framework mappings to ensure risk assessment outputs directly support audit and certification evidence packages (FedRAMP, SOC 2, ISO 27001, PCI-DSS)

Risk Categorization & Governance

Apply the established risk taxonomy and categorization methodology consistently across all assessed risks
Process risk acceptance requests in Jira , validate completeness, ensure documented context and stakeholder sign-off, confirm time-bound conditions, and flag concerns to the Senior lead
Maintain the Risk Register, risk inventory, and supporting trackers with obsessive attention to data integrity, no missing dates, undefined owners, or stale entries. A Risk Register with governance gaps is a program failure

Reporting & Stakeholder Engagement

Contribute to KRI data collection and dashboard inputs , support accurate, timely reporting that feeds executive risk dashboards and governance forum materials
Engage directly with technical stakeholders (engineering, product, infrastructure teams) during risk assessments , ask informed questions, gather evidence, and document findings
Progressively build the technical fluency to lead stakeholder conversations independently , develop working proficiency in cloud-native architectures, SaaS security models, and common technical controls (IAM, encryption, network segmentation, logging/monitoring)
Translate technical findings into clear, business-relevant risk language in all written work products

Policy, Process & Governance Hygiene

Support drafting and maintaining risk procedures, guidelines, and assessment templates across the IRM program scope
Execute governance hygiene , data quality, tracker maintenance, workflow adherence, evidence organization, and documentation standards
Manage the risk assessment pipeline in Jira, create and maintain workflows, dashboards, and use JQL to track the assessment ticket lifecycle

Requirements:

Experience & Education:

3–5 years of experience in Information Security, Governance, Risk, and Compliance (GRC), or Enterprise Risk Management
Experience performing risk assessments — including risk identification, inherent/residual risk scoring, and documentation of findings
Experience identifying, documenting, and evaluating controls — including assessment of design adequacy and operating effectiveness
Strong working knowledge of NIST CSF, NIST SP 800-30/39/53, and ISO/IEC 27005 — ability to use these frameworks as a library of controls and risk guidance
Advanced proficiency in Excel/Google Sheets (pivot tables, VLOOKUP, complex formulas) for risk data analysis and reporting
Jira proficiency — managing projects, creating workflows and dashboards, and using JQL
Ability to write clear, concise, and defensible Risk Assessment Memos
Obsessive attention to detail regarding data integrity and documentation quality
Foundational understanding of cloud-native architectures and common technical controls (IAM, encryption, logging/monitoring, network segmentation) — with a commitment to building deeper technical fluency
Awareness of AI risk concepts and willingness to develop expertise in emerging AI risk and regulatory landscape
A strong track record of collaborating effectively across teams and levels
Bachelor's degree in Cybersecurity, Information Systems, Business Administration, or a related field
Certifications: At least, one of the following certifications is required - CRISC, CISM, CISSP, or CISA

About MongoDB

MongoDB is built for change, empowering our customers and our people to innovate at the speed of the market. We have redefined the database for the AI era, enabling innovators to create, transform, and disrupt industries with software. MongoDB’s unified database platform, the most widely available, globally distributed database on the market, helps organizations modernize legacy workloads, embrace innovation, and unleash AI. Our cloud-native platform, MongoDB Atlas, is the only globally distributed, multi-cloud database and is available across AWS, Google Cloud, and Microsoft Azure.

With offices worldwide and over 60,000 customers, including 75% of the Fortune 100 and AI-native startups, relying on MongoDB for their most important applications, we’re powering the next era of software.

Our compass at MongoDB is our Leadership Commitment, guiding how and why we make decisions, show up for each other, and win. It’s what makes us MongoDB.

To drive the personal growth and business impact of our employees, we’re committed to developing a supportive and enriching culture for everyone. From employee affinity groups, to fertility assistance and a generous parental leave policy, we value our employees’ wellbeing and want to support them along every step of their professional and personal journeys.Learn more about what it’s like to work at MongoDB, and help us make an impact on the world!

MongoDB is committed to providing any necessary accommodations for individuals with disabilities within our application and interview process. To request an accommodation due to a disability, please inform your recruiter.

MongoDB is an equal opportunities employer.

Req ID: 1273425625

Description:

Responsibilities:

Risk Identification & Assessment

Execute risk assessments under senior guidance - perform scoping, inherent risk scoring, control assessment, and residual risk calculation using established methodology
Conduct risk identification intake, manage the flow of requests from Jira Service Desk and the Issue Intake Tracker, review incoming submissions against entry criteria, assign Risk IDs, and replicate validated risks into the Risk Register
Act as the Triage Officer for incoming risk submissions, determine whether submissions represent strategic risks, operational issues, or duplicates. Filter noise to focus the team on signals
Develop risk scenarios for in-scope assets by working with asset owners and risk owners , identify threat communities, threat events, and impact categories
Draft Risk Assessment Memos that tell a cohesive story from risk statement to risk rating to actionable recommendation. Progressively build toward independently authored memos that require minimal review notes
Monitor and flag emerging risk signals , including AI-related risks (model integrity, data poisoning, shadow AI, third-party AI dependencies) , and escalate with documented analysis for integration into the risk framework

Control Identification, Mapping & Assessment

Identify and document controls that mitigate assessed risks , map controls to specific risk scenarios and applicable framework requirements (NIST SP 800-53, ISO 27001, SOC 2)
Assess the design adequacy of controls , evaluate whether each control is appropriately designed to address the risk it is mapped to, and document findings with supporting rationale
Assess the operating effectiveness of controls , collect and evaluate evidence to determine whether controls are functioning as designed over the assessment period, and document results
Document control gaps and support remediation tracking , maintain clear records of where controls are missing, partially effective, or require compensating controls. Track remediation progress
Maintain control-to-framework mappings to ensure risk assessment outputs directly support audit and certification evidence packages (FedRAMP, SOC 2, ISO 27001, PCI-DSS)

Risk Categorization & Governance

Apply the established risk taxonomy and categorization methodology consistently across all assessed risks
Process risk acceptance requests in Jira , validate completeness, ensure documented context and stakeholder sign-off, confirm time-bound conditions, and flag concerns to the Senior lead
Maintain the Risk Register, risk inventory, and supporting trackers with obsessive attention to data integrity, no missing dates, undefined owners, or stale entries. A Risk Register with governance gaps is a program failure

Reporting & Stakeholder Engagement

Contribute to KRI data collection and dashboard inputs , support accurate, timely reporting that feeds executive risk dashboards and governance forum materials
Engage directly with technical stakeholders (engineering, product, infrastructure teams) during risk assessments , ask informed questions, gather evidence, and document findings
Progressively build the technical fluency to lead stakeholder conversations independently , develop working proficiency in cloud-native architectures, SaaS security models, and common technical controls (IAM, encryption, network segmentation, logging/monitoring)
Translate technical findings into clear, business-relevant risk language in all written work products

Policy, Process & Governance Hygiene

Support drafting and maintaining risk procedures, guidelines, and assessment templates across the IRM program scope
Execute governance hygiene , data quality, tracker maintenance, workflow adherence, evidence organization, and documentation standards
Manage the risk assessment pipeline in Jira, create and maintain workflows, dashboards, and use JQL to track the assessment ticket lifecycle

Requirements:

Experience & Education:

3–5 years of experience in Information Security, Governance, Risk, and Compliance (GRC), or Enterprise Risk Management
Experience performing risk assessments — including risk identification, inherent/residual risk scoring, and documentation of findings
Experience identifying, documenting, and evaluating controls — including assessment of design adequacy and operating effectiveness
Strong working knowledge of NIST CSF, NIST SP 800-30/39/53, and ISO/IEC 27005 — ability to use these frameworks as a library of controls and risk guidance
Advanced proficiency in Excel/Google Sheets (pivot tables, VLOOKUP, complex formulas) for risk data analysis and reporting
Jira proficiency — managing projects, creating workflows and dashboards, and using JQL
Ability to write clear, concise, and defensible Risk Assessment Memos
Obsessive attention to detail regarding data integrity and documentation quality
Foundational understanding of cloud-native architectures and common technical controls (IAM, encryption, logging/monitoring, network segmentation) — with a commitment to building deeper technical fluency
Awareness of AI risk concepts and willingness to develop expertise in emerging AI risk and regulatory landscape
A strong track record of collaborating effectively across teams and levels
Bachelor's degree in Cybersecurity, Information Systems, Business Administration, or a related field
Certifications: At least, one of the following certifications is required - CRISC, CISM, CISSP, or CISA

About MongoDB

Our compass at MongoDB is our Leadership Commitment, guiding how and why we make decisions, show up for each other, and win. It’s what makes us MongoDB.

MongoDB is an equal opportunities employer.

Req ID: 1273425625

Irm Analyst

What you'd actually do

Skills

Required

Nice to have

What the JD emphasized

Description:

Responsibilities:

Risk Identification & Assessment

Control Identification, Mapping & Assessment

Risk Categorization & Governance

Reporting & Stakeholder Engagement

Policy, Process & Governance Hygiene

Requirements:

About MongoDB

Description:

Responsibilities:

Risk Identification & Assessment

Control Identification, Mapping & Assessment

Risk Categorization & Governance

Reporting & Stakeholder Engagement

Policy, Process & Governance Hygiene

Requirements:

About MongoDB

What you'd actually do

Skills

Required

Nice to have

What the JD emphasized

Description:

Responsibilities:** **

Risk Identification & Assessment

Control Identification, Mapping & Assessment

Risk Categorization & Governance

Reporting & Stakeholder Engagement

Policy, Process & Governance Hygiene

Requirements:

About MongoDB

Description:

Responsibilities:** **

Risk Identification & Assessment

Control Identification, Mapping & Assessment

Risk Categorization & Governance

Reporting & Stakeholder Engagement

Policy, Process & Governance Hygiene

Requirements:

About MongoDB

Responsibilities:

Responsibilities: