Must have:
- 6-9 years in information security & privacy governance
- Proven experience in the development of policies, procedures & standards
- Strong knowledge of information security governance frameworks (e.g. CIS, NIST, ISO)
- General knowledge with security tools and technology (e.g. firewalls, IDS, IPS, encryption, EDR, DLP, NAC, CASB, DKIM, DMARC, email protection)
- Must have Security certifications in atleast one of the following (e.g. CISM, CISA, CISSP or others)
- General knowledge of security tools and technology
- General knowledge of systems, network and cloud architectures
- General knowledge with risk analysis, penetration testing, and vulnerability management
Nice to have:
- Formal IT & security accreditations such as (e.g. ITIL, COBIT)
- Bilingual in French
Reporting to the Director, Information Security & Privacy Governance, this role will contribute to governance, risk and control activities within our Information Security & Privacy programs.
This position will be accountable for the creation, maintenance and distribution of enterprise level policies, procedures and standards within the information security and privacy domains.
Ensure the information security & privacy programs accomplish its objectives by bringing a systematic approach to improve the overall effectiveness of these programs.
Facilitate and/or lead corporate level incident response preparedness through testing, reporting and actions and will participate in incident response.
Create training courses, training presentations, programs, and develop new training materials that drive continuous awareness for information security & privacy.
KEY RESPONSIBILITIES
Training and Education
- Develop a roadmap for our awareness training as it relates to information security & privacy that enables greater awareness, compliance and education materials
- Create and maintain an effective and measurable awareness training program.
- Create, execute, monitor and report on simulated security exercises to increase the awareness of the importance of security and privacy protocols (e.g. phishing campaigns, tailgating, vishing, mystery customer)
- Drive awareness and compliance to information security & privacy best practices.
Governance & Operations
- Develop and implement effective and reasonable policies, procedures and standards to secure our assets.
- Participate and/or lead security assessments, audits, tabletops and penetration tests
- Provide support to all stakeholders on information security & privacy standards.
- Facilitate incident response preparedness through testing, develop plans to close gaps and updating response plans.
- Contribute to the identification and maintenance of an information security risk registry.
- Prepare and support security due diligence questionnaires and assessments.
- Research and maintain an awareness of industry information security challenges, changes or opportunities that would improve our information security & privacy posture
- Support and assist annual reviews of enterprise information security & privacy policies, procedures and standards.
- Collaborate with the technical information security team to identify gaps in policy, procedures, or standards and recommendations for improvements
- Perform analysis of third-party vendor due diligence responses to identify gaps, escalate risks as required and make recommendations to improve the process
Program Measurement/Monitoring
- Create measurements of compliance to corporate level policy and procedures (e.g. Access reviews, DLP, PIA)
- Develop and maintain an information security & privacy program scorecard/dashboard that demonstrates our current (real time) posture and opportunities for improvement
- Develop a process to report on the remediation of issues that arise from external assessments or audits
- Internally assess, evaluate, and bring forward recommendations to management regarding the information security & privacy program controls.