Vulnerability Management/Compliance Analyst

The Vulnerability Management / Compliance Analyst supports the Team by strengthening the recurring vulnerability management lifecycle. This assists with Qualys scan operations, vulnerability triage, ticket preparation, SLA tracking, exception register maintenance, and audit evidence organization. The role is operational and evidence-focused, intended to reduce workload from the Jr. Purple Teamer while maintaining strict supervision from the Team Manager.

Key Responsibilities:

Qualys Vulnerability Management Support:

• Support recurring Qualys scanning cycles across approved BPO environments.
• Validate scan completion, scan coverage, authentication status, agent status, and asset participation.
• Identify missing, stale, duplicate, or inactive assets requiring cleanup or IT follow-up.
• Export vulnerability data and prepare operational reports for review.

Vulnerability Triage and Prioritization Support:

• Perform initial triage of vulnerabilities by severity, asset criticality, age, exploitability, and compliance relevance.
• Identify obvious false positives, duplicate findings, superseded vulnerabilities, and stale detections.
• Escalate critical and high-risk vulnerabilities for Manager or Jr. Analyst review.
• Support prioritization of vulnerabilities affecting PCI, CDE, identity infrastructure, internet-facing systems, servers, workstations, and network devices.

Ticket Preparation and SLA Tracking:

• Prepare remediation tickets with asset details, QID/CVE references, evidence, affected ports/services, remediation guidance, and due dates.
• Track remediation SLAs for Critical, High, Medium, and compliance-relevant vulnerabilities.
• Maintain weekly overdue vulnerability lists and escalation candidates.
• Support follow-up with IT teams by providing clear technical context and evidence.

Agent Coverage and Scan Health Reporting:

• Track Qualys agent coverage, inactive agents, non-reporting systems, unauthenticated scans, and scanning gaps.
• Compare Qualys coverage against available asset inventories, EDR/Endpoint Management tools, CMDB data, or other approved sources. o Prepare coverage gap reports by BPO, site, account, asset type, and owner where data is available.

Exception Management and Risk Acceptance Support:

• Maintain the vulnerability exception register with finding details, business owner, justification, expiration date, review date, and evidence.
• Identify exceptions that are expired, missing justification, missing owner, or lacking compensating evidence.
• Prepare exception documentation for Manager, GRC, and business owner review.
• Do not approve exceptions or risk acceptance independently.

Compliance Evidence Management:

• Organize evidence for ASV scans, internal authenticated vulnerability scans, pentest retests, segmentation tests, and remediation validation. o Maintain repository structure for PCI, ISO 27001, SOC2, and HIPAA evidence.
• Ensure evidence packages include dates, scope, affected assets, results, remediation proof, and responsible parties
• Support audit readiness by keeping evidence complete, traceable, and reviewable.

Operational Metrics and Reporting:

• Prepare recurring metrics for vulnerability age, MTTR, closure rate, reopened vulnerabilities, overdue findings, patch coverage, and agent coverage.
• Produce BPO-level vulnerability summaries for internal review.
• Support executive reporting with validated data, but not own the final management narrative.

Process Improvement:

• Document recurring pain points in the vulnerability management process.
• Recommend improvements for ticketing, evidence handling, ownership tracking, SLA escalation, dashboarding, and scanner coverage.
• Support the Team Manager and Jr. Analyst in standardizing the “Finding-to-Close” workflow.

Requirements

• Bachelor's degree in Information Technology, Cybersecurity, or related field.
• Experience with Qualys VMDR or equivalent vulnerability management platforms.
• Strong understanding of CVE, CVSS, vulnerability lifecycle, remediation tracking, and false positive handling.
• Working knowledge of Windows, Linux, servers, workstations, network devices, patching, and asset inventories.
• Strong Excel, Power Query, Power BI, or dashboarding skills.
• Familiarity with Jira, ServiceNow, or similar ticketing platforms.
• Understanding of PCI DSS, ISO 27001, SOC2, HIPAA, and audit evidence expectations is preferred.
• Preferred certifications: Security+, Qualys VMDR training, ISO 27001 Foundation, PCI awareness, or equivalent experience.