security-risk-analyst

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Security Risk Analyst

安全风险分析师

When to Use

适用场景

Build or refresh an information security risk register with owners and review cadence
Score inherent and residual risk (likelihood × impact or FAIR-style loss estimates)
Map threats, vulnerabilities, and controls to risk scenarios and control gaps
Recommend treatment (accept, mitigate, transfer, avoid) with business justification
Frame third-party and supply-chain risk tiers, questionnaires, and concentration
Prepare business impact analysis inputs and KRIs for security risk committees
Draft executive or board risk narratives (heat maps, top risks, trend, appetite)

构建或更新包含负责人与审核周期的信息安全风险登记册
对**固有风险（inherent risk）和剩余风险（residual risk）**进行评分（可能性×影响或FAIR风格损失估算）
将威胁、漏洞与控制措施映射到风险场景及控制缺口
结合业务合理性提出处置建议（接受、缓解、转移、避免）
构建第三方与供应链风险分级体系、调查问卷及集中度评估
为安全风险委员会准备业务影响分析输入内容及KRIs
撰写高管或董事会风险报告（热力图、顶级风险、趋势、风险偏好）

When NOT to Use

不适用场景

Triage SIEM/EDR alerts or SOC playbooks →
```
soc-analyst
```
Execute authorized pentests or exploitation →
```
penetration-tester
```
,
```
web-pentester
```
,
```
network-pentester
```
Implement IAM, encryption, SIEM, or cloud guardrails →
```
information-security-engineer
```
,
```
cloud-security-engineer
```
IAM entitlement design, access reviews, SoD matrices →
```
iam-specialist
```
GRC program, framework scope, audit coordination →
```
compliance-specialist
```
Automate SOC 2/ISO evidence and control attestation →
```
compliance-engineer
```
,
```
cloud-compliance-specialist
```
Define enterprise security strategy or IR program →
```
cybersecurity
```
Classify AI use cases and model governance →
```
ai-risk-governance
```
Plan adversary simulation campaigns →
```
red-team-specialist
```
Threat actor/campaign intel production →
```
cti-analyst
```

SIEM/EDR警报分诊或SOC剧本编排 →
```
soc-analyst
```

执行授权渗透测试或漏洞利用 →

penetration-tester

web-pentester

network-pentester

实施IAM、加密、SIEM或云防护措施 →

information-security-engineer

cloud-security-engineer

IAM权限设计、访问审核、SoD矩阵构建 →
```
iam-specialist
```
GRC计划、框架范围界定、审计协调 →
```
compliance-specialist
```
自动化SOC 2/ISO证据收集与控制认证 →
```
compliance-engineer
```
,
```
cloud-compliance-specialist
```
定义企业安全战略或事件响应（IR）计划 →
```
cybersecurity
```
AI用例分类与模型治理 →
```
ai-risk-governance
```
规划对手模拟活动 →
```
red-team-specialist
```
威胁 actor/活动情报生成 →
```
cti-analyst
```

Related skills

Need	Skill
Implement controls from risk treatment	`information-security-engineer`
IAM risk scenarios, SoD, access governance	`iam-specialist`
Cloud guardrails and CSPM remediation	`cloud-security-engineer`
GRC program, gap plans, audit prep	`compliance-specialist`
Audit evidence and framework mapping	`compliance-engineer`
Cloud-only compliance evidence	`cloud-compliance-specialist`
Security program, IR, pentest governance	`cybersecurity`
AI system risk tiers and model governance	`ai-risk-governance`
Sector campaigns, actor trends for threat-informed risk	`cti-analyst`
Authorized adversary simulation	`red-team-specialist`
SOC alert triage	`soc-analyst`
Pentest findings as risk input	`penetration-tester`
M&A/investment diligence and IC cyber briefs	`cyber-diligence-governance`

需求	技能
根据风险处置建议实施控制措施	`information-security-engineer`
IAM风险场景、SoD、访问治理	`iam-specialist`
云防护措施与CSPM整改	`cloud-security-engineer`
GRC计划、缺口方案、审计准备	`compliance-specialist`
审计证据与框架映射	`compliance-engineer`
纯云环境合规证据收集	`cloud-compliance-specialist`
安全计划、IR、渗透测试治理	`cybersecurity`
AI系统风险分级与模型治理	`ai-risk-governance`
行业活动、actor趋势用于威胁驱动型风险分析	`cti-analyst`
授权对手模拟	`red-team-specialist`
SOC警报分诊	`soc-analyst`
将渗透测试结果作为风险输入	`penetration-tester`
并购/投资尽职调查与IC网络简报	`cyber-diligence-governance`

Core Workflows

核心工作流程

1. Risk assessment intake

1. 风险评估启动

Define scope (business unit, system, vendor, program)
Identify assets, data classes, and dependencies
Capture threat events and vulnerabilities (see references)
Document existing controls and their effectiveness
Score inherent risk (before controls) and residual (after controls)
Compare to risk appetite and escalation thresholds

See
references/risk_identification_and_scoring.md
.

定义范围（业务单元、系统、供应商、项目）
识别资产、数据类别及依赖关系
捕获威胁事件与漏洞（参见参考文档）
记录现有控制措施及其有效性
对固有风险（控制前）和剩余风险（控制后）进行评分
与风险偏好及升级阈值进行对比

参见
references/risk_identification_and_scoring.md
。

2. Risk register maintenance

2. 风险登记册维护

Maintain one row per material risk scenario:

Field	Purpose
Risk ID	Stable identifier
Scenario	What could go wrong
Owner	Accountable business or tech lead
Inherent / residual	Scores and rationale
Treatment	accept / mitigate / transfer / avoid
Target date	For mitigation or acceptance expiry
KRI	Measurable indicator

Review quarterly minimum; re-score on major change, incident, or audit finding.

See
references/security_risk_analyst_scope.md
for boundaries.

为每个重大风险场景维护一行记录：

字段	用途
风险ID	稳定标识符
场景	可能发生的问题
负责人	负责的业务或技术主管
固有/剩余风险	评分及依据
处置方式	accept / mitigate / transfer / avoid
目标日期	缓解措施完成或接受期限
KRI	可衡量指标

至少每季度审核一次；在重大变更、事件或审计发现时重新评分。

参见
references/security_risk_analyst_scope.md
了解边界。

3. Threat–vulnerability–control mapping

3. 威胁–漏洞–控制映射

threat actor/event → vulnerability/condition → impact → existing controls → gap → residual risk

Link pentest, vuln scan, audit, and threat intel inputs without duplicating execution work.

See
references/threat_vulnerability_control_mapping.md
.

threat actor/event → vulnerability/condition → impact → existing controls → gap → residual risk

关联渗透测试、漏洞扫描、审计及威胁情报输入，无需重复执行相关工作。

参见
references/threat_vulnerability_control_mapping.md
。

4. Treatment and acceptance

4. 处置与接受

For each risk above appetite:

Propose treatment option(s) with cost, effort, and residual risk
Obtain risk owner and risk committee decision where required
Record accepted risks with approver, expiry, and compensating controls
Track mitigation tasks to closure; re-score residual on completion

See
references/treatment_and_acceptance.md
.

对于超出风险偏好的每个风险：

提出处置方案，包含成本、工作量及剩余风险
必要时获取风险负责人及风险委员会的决策
记录已接受风险，包含审批人、到期日及补偿控制措施
跟踪缓解任务直至完成；完成后重新评估剩余风险评分

参见
references/treatment_and_acceptance.md
。

5. Third-party and supply-chain risk

5. 第三方与供应链风险

Tier vendors by data access, criticality, and concentration. Align questionnaire depth to tier. Feed inherent risk into enterprise register; do not replace legal review.

See
references/third_party_and_supply_chain_risk.md
.

根据数据访问权限、关键程度及集中度对供应商进行分级。根据分级调整调查问卷深度。将固有风险纳入企业登记册，但不可替代法律审查。

参见
references/third_party_and_supply_chain_risk.md
。

6. Reporting and governance

6. 报告与治理

Produce committee-ready packs: top risks, heat map, trend, KRIs, treatment status, exceptions nearing expiry. Separate risk analysis from compliance attestation narratives.

See
references/reporting_and_governance.md
.

制作供委员会使用的资料包：顶级风险、热力图、趋势、KRIs、处置状态、即将到期的例外情况。将风险分析与合规认证报告内容区分开。

参见
references/reporting_and_governance.md
。

When to load references

何时查阅参考文档

Scope and role boundaries →

references/security_risk_analyst_scope.md

Scoring scales and FAIR-style framing →

references/risk_identification_and_scoring.md

TVC mapping and control gaps →

references/threat_vulnerability_control_mapping.md

Treatment and risk acceptance →
```
references/treatment_and_acceptance.md
```

Vendor and supply chain →

references/third_party_and_supply_chain_risk.md

KRIs, committees, board narrative →
```
references/reporting_and_governance.md
```

范围与角色边界 →

references/security_risk_analyst_scope.md

评分标准与FAIR风格框架 →

references/risk_identification_and_scoring.md

TVC映射与控制缺口 →

references/threat_vulnerability_control_mapping.md

处置与风险接受 →
```
references/treatment_and_acceptance.md
```

供应商与供应链 →

references/third_party_and_supply_chain_risk.md

KRIs、委员会、董事会报告 →
```
references/reporting_and_governance.md
```