VM Governance Analyst

Playing an essential role in the U.S. economy, Fannie Mae is foundational to housing finance. Here, your expertise can help fuel purpose-driven innovation that expands access to homeownership and affordable rental housing across the country. Join Fannie Mae to grow your career and help people find a place to call home.

Job Description

THE IMPACT YOU WILL MAKE

The VM Governance Analyst role will offer you the flexibility to make each day your own, while working alongside people who care so that you can deliver on the following responsibilities:

• Apply risk and controls frameworks to support vulnerability governance and oversight

• Ensure compliance with established risk frameworks, control requirements, and internal policy standards

• Assist in governance activities, risk assessments, and reporting processes

• Maintain vulnerability management standard, procedures, and guidelines

• Document and update process flows and workflow diagrams

• Support control effectiveness monitoring related to vulnerability remediation

• Gather, validate, and analyze vulnerability data for governance and leadership reporting

• Track remediation progress and SLA adherence across technology domains

• Identify vulnerabilities requiring risk escalation and exception review

• Prepare and present PowerPoint presentations for leadership, governance working groups and audit reviews

• Maintain documentation for risk acceptance, control validation, audit and regulatory reviews

• Produce recurring operational and executive-level metrics and dashboards

• Identify trends, systemic risks, and opportunities for process improvement

Minimum Required Experiences:

• 2 years experience

• Understanding of cybersecurity vulnerabilities and remediation lifecycles

• Strong understanding of risk frameworks (e.g. NIST)

• Working knowledge and acknowledgement of controls frameworks (e.g. NIST, ISO27001, COBIT)

• Ability to support structured risk assessments (likelihood, impact, residual risk)

• Ability to ensure compliance with risk frameworks, control requirements, and standards

• Advanced Microsoft Excel skills (pivot tables, VLOOKUP, data cleansing, trend analysis)

• Strong PowerPoint presentation skills for leadership-level reporting

• Experience translating technical vulnerability data, analyzing large datasets and identify actionable risk-focused insights

• Strong technical writing skills with ability to draft standards, procedures, guidelines, and process documentation

• Ability to document and visualize process flows and governance workflows

• Shows curiosity and adaptability in learning and responsibly applying new technologies, including artificial intelligence, to reimagine how we work.

Desired Experiences:

• Bachelor degree or equivalent

• 5+ of experience in cybersecurity, vulnerability management, IT risk, audit, compliance, or governance-related roles

• Experience supporting vulnerability reporting, risk assessments, governance processes, drafting standards and procedures, or compliance activities preferred

• Experience working with metrics, dashboards, or executive-level reporting in an enterprise or regulated environment preferred

• Vulnerability governance and oversight experience

• Application of risk and controls frameworks

• Risk assessment support and risk documentation

• Governance reporting and compliance monitoring

• Process flow documentation and workflow mapping

• Risk-based escalation and exception tracking

• Metrics development and KRI tracking

• Dashboard development and data visualization

• Executive- level communication and presentation

Certifications:

• CISA (Certified Information Systems Auditor) – preferred

• CRISC (Certified in Risk and Information Systems Control) – preferred

• Security + or equivalent foundational security certification – a plus

Competencies:

• Risk-based thinking and analysis

• Governance and oversight mindset

• Framework-driven decision making

• Analytical and quantitative reasoning

• Process orientati9on and workflow design capabilities

• Attention to detail and data integrity

• Professional judgment and escalation discipline

• Stakeholder communication and influence

• Ability to manage multiple reporting cycles and deadlines

Target Pay Range: $109,000.00 - $142,000.00 a year
 

Internal Job Title: Vulnerability Management - Technology Assessment - Senior Associate

#LI-JM1 #LI-Hybrid

 

Qualifications

Education:

The future is what you make it to be. Discover compelling opportunities at Fanniemae.com/careers.

For most roles, employees are expected to work onsite on a regular basis at their designated office location. In-office work cadence is determined by your manager. Proximity within a reasonable commute to your designated office location is preferred unless the job is noted as open to remote.

Fannie Mae is an equal opportunity employer and considers qualified applicants for employment without regard to race, color, religion, sex, national origin, disability, age, sexual orientation, gender identity/gender expression, marital or parental status, or any other protected factor. Fannie Mae is committed to providing reasonable accommodations to qualified individuals with disabilities who are employees or applicants for employment, unless to do so would cause undue hardship to the company. If you need assistance using our online system and/or you need a reasonable accommodation related to the hiring/application process, please complete this form.

The hiring range for this role is set forth below. Final salaries will generally vary within that range based on factors that include but are not limited to, skill set, depth of experience, certifications, and other relevant qualifications. This position is eligible to participate in a Fannie Mae incentive program (subject to the terms of the program). As part of our comprehensive benefits package, Fannie Mae offers a broad range of Health, Life, Voluntary Lifestyle, and other benefits and perks that enhance an employee's physical, mental, emotional, and financial well-being. See more here.

Requisition compensation:

to