Company Description
SAV Associates Chartered Professional Accountants is a full-service CPA firm with offices in Toronto, Edmonton, Vancouver, and Texas. Our firm specializes in meeting the cyber security consulting and assurance needs of large corporations and enterprise businesses. We are known for our innovative and lasting results, serving a diverse range of clients across various industries.
Role Description
This is a full-time on-site role for an Information Security Specialist (Penetration Testing and Audits) at SAV Associates in Toronto, ON. Amongst other things, the specialist will be responsible for conducting security audits, penetration testing, configuration reviews, ensuring data privacy compliance and network security. The day-to-day tasks will involve managing application security reviews, cybersecurity protocols assessment, and information security and internal control audits.
Please apply if you live in Toronto area. This position requires an individual to work from Office, remote work option is not available at this time.
Responsibilities / Duties and Performance Expectations
Penetration Testing and Vulnerability Assessment
- Perform thorough and methodical penetration testing on web applications, network infrastructures, and other systems to identify security vulnerabilities. This includes utilizing manual and automated testing methods to find exploits, misconfigurations, and insecure access entry points.
- Develop, design, maintain, and execute detailed test plans following the test procedures, evidence marking procedures, and report templates.
- Assess and analyze security weaknesses, and provide actionable recommendations to mitigate risks and improve overall security posture.
- Document and communicate findings clearly and effectively to both technical and non-technical stakeholders. Prepare comprehensive reports with recommendations for remediation.
- Keep up-to-date with the latest security trends, vulnerabilities, and tools to ensure testing methodologies are current and effective.
- Work closely with IT and development teams to understand system architectures, provide guidance on security best practices, and support the implementation of security improvements.
- Evaluate and assess potential security risks related to new and existing systems and technologies.
- Ensure that penetration testing practices comply with relevant regulations, standards, and organizational policies.
- Provide training and support to other team members on security best practices.
IT Security Assessment
- Responsible for analyzing and assessing client’s IT infrastructure to test the design and operational effectiveness of the processes and systems.
- Perform or support risk assessments to identify information security issues
- Perform or support vulnerability assessments to determine the organization's security flaws and weaknesses and communicate the findings
- Analyze the security measures to determine effectiveness and recommend changes that will improve security and associated controls
- Analyze IT specifications to assess security risks including antivirus programs and network security through firewalls, password protection and other systems.
- Inspect networks and hardware for vulnerable points of access.
- Experience or understanding of Security Architectural concepts and requirements
- Perform penetration testing and vulnerability assessment using tools like Kali, Nessus, Parrot etc
- Suggest remediation for privacy breaches and malware threats.
- Serve as a security expert and conduct trainings when needed.
- Draft policies and guidelines for the clients.
IT Audit
- Execute audits that primarily deal with technology in the areas of IT infrastructure, processes, applications, operations, security and emerging technologies
- Audit assurance, governance and control frameworks such as COBIT, NIST and ISO, Service Organization Controls (SOC) Reporting standards (e.g. CSAE 3416, SOC1, SOC2) and apply IT risk and control concepts
- Ability to prepare risk and controls matrix, perform risks and internal controls assessment by identifying areas of non-compliance; perform walkthroughs and document clearly document the processes and controls; identify process weaknesses and operational issues; perform test procedures and assist in completion of the report.
- Knowledge of planning steps for assurance engagement i.e. understanding organization objectives, structure, policies, processes, internal controls; identifying risk areas; preparing audit scope and objectives; preparing audit programs.
- Ability to write comprehensive and easy to follow audit work papers and memos, mapping them with underlying audit tests and findings.
- Strong knowledge of execution of audit program steps; testing key areas; examining and analyzing documentation; risks and internal controls; evaluating manual and automated controls; identifying process weaknesses and inefficiencies and operational issues.
- Provide advisory services to clients on issues related to IT risk assessment, controls and governance.
- Ability to wrap up files independently - prepare final reports as required by the frameworks / standards; ensure compliance with Canadian / applicable Auditing Standards.
- Ability to wrap up the audit files with limited supervision.
Advisory work
- Assist clients with the development / management of security strategies, policies, programs, protocols, controls, tools for risk mitigation and security countermeasures.
- Design and implementation of Identity Access Management tools
- Assist clients with their PCI certification process and assessment requirements
- Perform ISO 27000 series audits
Others
- Depending on client needs you may be asked to work on other advisory engagements
- Various day to day office administrative functions as needed
Qualifications
- Bachelor's or Master's degree in Information Security, Cybersecurity, or related field
- The preferred candidate may also have one or more of the following designations:
- CISA, CIA, CISSP or CISM
- ISO Lead Auditor
- PCI - QSA
- Certified Ethical hacker (CEH), Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), CREST, SANS GIAC Penetration Tester, Web Application Penetration Tester, Exploit Researcher and Advanced Penetration Tester.
Must have skills -
- Application Security and Network Security skills
- Cybersecurity and Information Security Management expertise
- Data Privacy knowledge
- Experience in security audits, penetration testing, and risk assessments
- Skills to plan, implement, administer, maintain, and secure a computer network.
- Have experience of an audit with a CPA-CA of IT Consulting firm – must have done audit work
- Must have knowledge of scripting languages such as perl, vbscript, *nix shell scripting
- Previous experience with IDS and log correlation software (SIEM) is an asset
- Excellent knowledge of cyber security standards, risks, threats, prevention measures, and best practices.
- Hands-on experience with vulnerability scanning and management processes and tools like Nessus, Qualys, ServiceNow Vulnerability Response.
- Knowledge of OWASP Top 10, OWASP ASVS, SANS, NIST, OWASP testing guide and Penetration Testing Execution Standard
- Proficient with Microsoft Office applications (Word / Excel / Powerpoint / Access / Visio)
- Project management - Able to multitask and finish work in tight deadlines and communicates task progress and findings by providing information in status meetings; highlighting unresolved issues
- Good English writing skills
- Ability to work under pressure
- Willing and able to learn and work independently with minimal supervision
- At least 3-year experience in audit and cyber security
- Willing to work additional hours and weekends to meet client needs
Good to have skills-
- Knowledge of Controls audits / IT audits and experience with SOX or SOC reports
- Demonstrate an interest in pursuing relevant designations and completing the required examinations; maintaining personal networks; participating in professional organizations.
- Preference will be given to applicants residing in North York / Toronto