Type: Contract
Term: 6 months with possible extension
Location: Remote / Virtual from within Canada
The Cybersecurity Risk Analyst (CRA) is responsible for identifying, evaluating, presenting, and reporting on cybersecurity Risks.
The CRA works proactively with programs, Enterprise Risk Management, IT teams, and the larger Community to identify, analyze, report, communicate and monitor enterprise digital security risks. CRA must understand the Policy Framework and create risk indicators that show variances to policy framework adoption or adherence. The CRA shall support, and ensure adherence to standards for cybersecurity, digital and information risk management.
This is a well-rounded IT professional that has acquired practical skill and experience from other IT fields and performs cybersecurity risk identification and assessments of cybersecurity related activities that might introduce or change the risk status of digital assets. The CRA will also work to ensure the Digital Security Program continues to operate within cybersecurity risk tolerances.
Responsibilities:
To be successful, the contractor CRA:
Works with IT teams, reviews operational and project activities (plans, designs, testing, reporting, etc.) providing a risk profile, and recommending appropriate remediation measures to minimize cybersecurity risks-
Works with compliance teams to continually monitor compliance drifts, providing risk assessments and consequences of new risk profiles, and advises applicable managers to take effective remediation steps
-
Manages the Vulnerability Management Program (review, analyze, and report on outcomes of penetration tests and vulnerability assessments with a view to creating a digital security/cybersecurity risk posture) with Managed Security Services partner
-
Follows up with applicable Risk Owners to ensure vulnerability findings are mitigated
- Works with Enterprise Risk Management to ensure digital security/cybersecurity risks do not exceed risk appetite, or operate out of risk tolerance bands
-
Maintains an up-to-date understanding of industry best practices and monitors the legal and regulatory environment for updates that could require changes to established Digital Security policy framework
-
Create, disseminate, and update Digital Security Risk documentation
-
Works directly with Digital Governance Committees and business units to facilitate cybersecurity risk management processes by reporting on inherent risks and arriving at acceptable levels of residual risk
-
Establish and maintain guidelines for information classification and protection
-
Works with the relevant IT teams to continually review the results of vulnerability scans and penetration tests to provide an ‘as is’ cybersecurity risk assessment of IT assets
-
Manages digital risk assessments
-
Conducts risk reviews for new applications
-
Coordinates cybersecurity risk management activities
-
Creates and manages the Digital Security Risk Register
-
Tracks and reports risk management trends, opportunities, and remediation
Experience & Skills
Minimum of 5 years progressive experience in IT risk, Cybersecurity risk management, IT Audit or information security risk management, with an emphasis on cybersecurity technology implementation projects or related technology implementations.-
Position requires a 4-year degree in computer science, management or engineering, recognized in Canada. An equivalent combination of education and experience will be considered.
-
For those not meeting the minimum education, additional work-related experience will be deemed equivalent.
-
CRISC, CISM, and/or CISSP Certification is an advantage.
-
Pro-active in continued professional and personal skill development is mandatory.
-
Excellent contract management skills. Experience working with a Managed Security Services Provider is an advantage.
-
Understanding of cybersecurity risk management and risk mitigation strategies.
-
Ability to communicate project and technology risks effectively.
-
Working knowledge of a broad range of standards and frameworks: International Standards Organization (ISO) 27001, IT Infrastructure Library and ISO 20000, Capability Maturity Model Integration and Six Sigma
-
Excellent knowledge of common risk management methodologies –ISO, NIST, CoBIT, COSO, etc.
Applicant must be eligible to work in Canada and reside within Canada.
**Final candidates will be required to undergo a comprehensive background check, including security screening and verification of credentials.**