Security Specialist (TRA, NIST)
Duration: 1 year to start with; 6 months potential extension
Location: Toronto, Ontario
- Determining the scope of each TRA they are assigned
- Planning and managing all deliverables required in order to conduct TRAs on each assigned application and/or system
- Conducting the TRA for the assigned projects, following a formal risk assessment methodology such as NIST, Harmonized Threat and Risk Assessment Methodology or equivalent
Developing and implementing a TRA Work Plan, including but not limited to:
- A detailed schedule, including milestones, critical activities and dependencies for the completion of the work
- Identifying employees and assets to be safeguarded in a Statement of Sensitivity;
- Determining threats to employees and assets in Canada and abroad, and assessing the likelihood and impact of threat occurrence;
- Assessing risks based on the adequacy of existing safeguards and vulnerabilities;
- Recommending any supplementary safeguards to reduce the risk to an acceptable level;
- Providing weekly status and progress report updates;
- Completing relevant Information Security-related work (such as conducting meetings/interviews);
- Provide subject matter expertise on Threat Risk Assessment, Vulnerability Assessment, Penetration Testing and Privacy Impact Assessment of the IT operations, capital IT projects, IT systems;
- Develop the Request for Proposals and Request for Quotation for Vulnerability Assessment (VA) services;
- Assisting with Vulnerability Assessment Risk Treatment Plans and Risk remediation with project teams;
- Completion and submission of a Final TRA report for each system assessed.
Qualifications and Experience:
- Knowledge of Formal Threat Risk Assessment (TRA) approaches such as Harmonized Threat and Risk Assessment (HTRA) methodology, NIST;
- Experience in delivering written TRA reports;
- Minimum of six years of experience in the information security and/or IT risk management field;
- Minimum of four years’ experience performing TRA(s) on complex IT projects that include BOTH infrastructure and Application security assessments.
- Demonstrated ability to engage stakeholders, consult and manage issues;
- Superior written and oral communication skills with technical and business audiences;
- Timely with deadlines, team player and organized as well as able to conduct information gathering sessions and interviews with stakeholders;
- Current holder of security industry specific certifications
- Demonstrated understanding of technical and non-technical vulnerabilities and mitigation controls.
- Expert knowledge of security controls that impact the protection of sensitive/personal information, data integrity, system availability including (but not limited to) internet tools, system interfaces, information security, information architecture and data flows.
- Well-developed research, analytical and problem-solving skills;
- Understanding of vulnerability assessments and penetration testing lifecycle;
- Understanding of Risk remediation and risk treatment.