Security Specialist - Threat Risk essment

Note: Remote/Hybrid work required to come to the office upon request (once every two weeks).

MUST HAVE:

• 5 years information security risk management experience
• 3 years security architecture experience
• 3 years security risk assessment experience

Description

Responsibilities Assesses internal and external threats and vulnerabilities of information systems and resources and the likelihood of these threats and resulting impacts. Where possible reduce risks through system or organizational design. Implement security measures to prevent or mitigate detect and respond to security threats and vulnerabilities to information systems and resources at the program and enterprise levels. Periodically review security measures to ascertain that the security measures are still sufficient and continue to operate as expected. Such reviews must also be performed whenever security incidents occur or business processes change. Defines evaluates and assesses security architecture requirements for systems environments and IT projects. Ensures the incorporation of IT security and contingency measures in the development of systems. Advises on the identification analysis and resolution of specific security factors risks vulnerabilities; protection of personal privacy issues; and appropriate industry and international security standards. Carry out information and information technology (I&IT) security projects and tasks in the Ontario Public Service as assigned by Corporate Security or cluster I&IT management

Experience and Skill Set Requirements

General Skills

• Strong understanding and expertise in security architecture.
• Experience in applying Cyber Security methodology and tools to define scope critical business processes and functions.
• Skilled in identifying critical assets and dependencies in reports to clients (TRA or other security assessments).
• Experienced in planning and facilitating Threat Risk Assessment (TRA) and/or other workshops with business clients.
• Proficient in applying Harmonized Threat Risk Assessment (HTRA) or equivalent methodology.
• Knowledge of techniques to secure information assets and the planning design and implementation of security technologies.
• Proven ability to discover gaps or weaknesses in security architecture and mitigate known security threats or inherent weaknesses.
• Knowledge and understanding of relevant legislation and corporate directives related to the security and confidentiality of information (e.g. Freedom of Information and Protection of Privacy Act).
• Solid knowledge of current security and contingency technology and techniques (e.g. digital signature encryption access controls firewalls authentication virus protection etc.).
• Proven working knowledge of security audit procedures and protocols.
• Experience in developing enterprise architecture deliverables (e.g. models).
• Experience in providing specialized security support at an expert level.
• Proven track record in establishing secure environments at the network operating system or application level.
• Experience with implementing security in complex and distributed systems.
• Expertise in conducting indepth analysis and providing recommendations with required signoffs within prescribed timelines (e.g. TRA reports or other security assessment reports).
• Experience and knowledge in providing security requirements for procurement documents and participating in security evaluations during the procurement process.
• Ability to assess Information Security Risk Business Continuity Planning and Business Impact Analysis for various technical environments including Mainframe Unix and Windows.
• Awareness of emerging IT trends and directions particularly related to security.
• Excellent analytical problemsolving and decisionmaking skills.
• Strong written and verbal communication skills.
• Exceptional interpersonal and negotiation skills.
• A team player with a proven track record of meeting deadlines managing competing priorities and demonstrating client relationship management experience.

Desirable Skills

• Experience in developing enterprise architecture deliverables (e.g. models) based on Ontario Government Enterprise Architecture processes and practices.
• Knowledge and understanding of Information Management principles concepts policies and practices.
• Experience in business recovery and disaster recovery planning.
• Expertise in performing threat and risk assessments.
• Experience in public key infrastructure (PKI) development and operation.
• Proficient in security design as part of systems development projects.
• Experience with intrusion detection systems.
• Skilled in using mitigation tools for malicious software.
• Experience in vulnerability analysis and penetration testing.
• Proficient in network monitoring.
• Experience in security policy development.
• Skilled in developing and delivering security education.
• Experience in conducting forensic investigations.
• Strong understanding of Information Management principles concepts policies and practices.

Cyber Risk Assessment 40%

• Understanding of threat modeling and risk assessment methodologies.
• Ability to identify vulnerabilities and potential impacts on organizational assets.
• Knowledge of risk management frameworks like NIST SP 80030
• Proficiency in using cybersecurity tools and software for vulnerability scanning and risk analysis.
• Familiarity with network security endpoint security and application security.
• Awareness of relevant laws regulations and standards (e.g. GDPR HIPAA ISO 27001).
• Ability to ensure that risk assessments align with regulatory requirements

Cyber Security Architecture 40%

• Expertise in designing secure network architectures including firewalls IDS/IPS and VPNs.
• Knowledge of cloud security architectures and best practices.
• Proficiency in security technologies such as encryption authentication and access control.
• Familiarity with security protocols and standards (e.g. TLS SSL IPsec).
• Knowledge of incident response and disaster recovery planning.
• Understanding of industry best practices and frameworks (e.g. NIST CIS Controls).
• Ability to ensure architectural designs comply with regulatory requirements.

Executive IT Communication 20%

• Ability to present complex technical information in a clear and concise manner to nontechnical executives.
• Proficiency in creating impactful presentations and reports.
• Skills in engaging with stakeholders to understand their concerns and requirements.
• Ability to build strong relationships with executive leadership and board members