Cybersecurity GRC Analyst (Security Specialist)

Job Title: Cybersecurity GRC Analyst (Security Specialist)
Location:  Toronto, ON (Hybrid)
Estimated Duration: 2 Years

Description of Assignment
The candidate will support the reduction of Cybersecurity and Privacy risks in the Information Technology (IT) and Operational Technology (OT) environment of client. The Candidate will lead risk mitigation efforts through conducting security and privacy risk assessments, establishing and maintaining governance and compliance standards, creating, communicating, and enforcing information security policies and providing recommendations on risk management strategies.

The Senior Analyst will be required to work 7 hours per day (excluding 1 hour lunch break) Mondays to Fridays at Union Station, 61 Front Street West, Toronto 2-3 days per week on site but may be required to work from different locations within the City of Toronto occasionally.

Skills and Certifications
Mandatory Requirements/Skills/Certifications

• Hybrid Work – 2 to 3 days in office.
• University degree in Computer Science, Information Security, Cybersecurity, or a related field as well as considerable Cybersecurity risk management experience or the equivalent combination of education and experience.
• 7+ years of relevant Cybersecurity experience in Governance, Risk and Compliance
• 5+ years of relevant experience with conducting Privacy Risks Assessments and Privacy Impact Assessments
• 10+ years of Information Technology experience
• Significant experience with security frameworks and standards (such as NIST CSF, ISO/IEC 27001/27002, ISA/IEC 62443, NERC CIP, CIS Controls, SOC2, etc.) and Risk Management frameworks
• Demonstrated experience with and development / refresh of Cybersecurity policies, standards and procedures
• In-depth understanding and application of relevant Canadian regulations such as PHIPA, MFIPPA, Canada’s antispam legislation (CASL), Critical Cyber Systems Protection Act (CCSPA), Enhancing Digital Security & Trust Act, etc

Any one of the following certifications is required:

• Certified in Risk and Information Systems Control (CRISC)
• Certified Information Systems Security Professional (CISSP)

Other Skills/Certifications

• Strong background in enterprise IT and Security Architecture, including cloud, hybrid, and OT/industrial environments
• Strong understanding of networking principles including TCP/IP, WANs, LANs, and commonly used Internet protocols such as SMTP, HTTP, FTP, POP,  LDAP, SAMLv2, OAuth, and SSL/TLS
• Strong understanding of Information technology systems and processes, network infrastructure, data architecture, data processes, and protocols
• Excellent written & verbal communications skills (communicating at all levels with internal & external stakeholders) with fastidious attention to detail
• Strong decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate one
• Strong analytical, problem-solving and troubleshooting skills
• An understanding of organizational mission, values, goals and consistent application of this knowledge
• Ability to work in a fast-paced environment managing multiple priorities with proven time management skills.
• Experience implementing and using relevant tools for security risk assessment and risk management

Assignment Duties

• Conduct comprehensive security and privacy risk assessments of new and existing information systems, networks and infrastructure to identify potential vulnerabilities, threats, and risks. This involves analyzing security controls, performing vulnerability assessments, and evaluating security architecture to determine potential risks
• Recommend controls to mitigate security risks identified through the risk assessment process and communicate risk findings that are clear and actionable by relevant stakeholders.
• Identify, assess, manage, and monitor cybersecurity and privacy risks that could materially impact client and provide focused predictive risk analytics on business objectives to de-risk strategies, optimize capital use & accelerate revenues.
• Develop, enhance and communicate security governance frameworks, policies, standards and procedures across the client. Establish guidelines and best practices to support client’s security objectives and ensure alignment with industry standards and regulatory requirements.
• Design and document technical, administrative, and physical controls to ensure the business demonstrates compliance, ensuring that the client meets both the requirements and intent of its regulatory and compliance obligations
• Perform periodic gap assessments of the information security program to validate compliance on an ongoing basis, facilitate remediation of control gaps and escalate critical issues to leadership
• Manage exception review and approval process, and ensure exceptions are documented and reviewed periodically
• Ensure compliance with relevant regulatory frameworks, industry standards, and internal policies. Monitor and assess client’s compliance with these regulations and recommend strategies for maintaining compliance. Collaborate with stakeholders to address any compliance gaps and provide recommendations for improvement.
• Perform 3rd party due diligence (initial risk assessment before commencement of services and on-going risk-based monitoring) for adherence to client security standards
• Review of information security sections of procurement documents (e.g. RFI/RFP, MPSA, Contracts, and POs) identify gaps and recommend security and data privacy content to close gaps.
• Maintain inventory of relevant suppliers/vendors, controls, and risks for ongoing vendor risk management activities

 
Deliverables
Deliverables include:

• Security & Privacy Risk Assessments
• Governance and Compliance
• Cybersecurity Advisory services
• Support 3rd Party Cyber Risk Management activities
• GRC SME supporting projects/initiatives