Reporting to the Manager of IT Security, the IT Security Compliance and Risk Specialist is responsible for analyzing, interpreting and developing solutions and strategies to manage the internal and external IT security audits and assessments. Acting as the liaison between potential auditors and technical teams, this role leads conversations with, and collaborates with key stakeholders to identify risks and to ensure IT implemented solutions are compliant with corporate policies, regulations, and standards. The role is also responsible for monitoring remediation of audit findings up to completion, as well ensuring any mitigation strategies and security controls for all IT related findings are completed and documented.
Compliance and Risk Auditing. (40% of time).
- Assesses risks and internal control dependency on systems by identifying areas of non-compliance and evaluating risks related to key technology processes.
- Co-ordinates timely activities as it relates to internal, external and regulatory audit requests including SOX, SOC1, SOC2;
- Conducts and reviews business impact analysis, implements and coordinates disaster recovery planning and disaster recovery exercises where required;
- Conducts risk assessments and supports the stakeholders in determining the appropriate treatment of identified risks; identify appropriate action plans for risk remediation;
- Inventory, assess significance, assign accountability, and develop appropriate monitoring for the control environment;
- Conducts IT compliance reviews including user access reviews, risk assessments, control objectives monitoring, and third party assessments;
- Liaises with Information Privacy Assessment Office and identify IT compliance requirements and assist with creation and maintenance and coordinate IT responses to regulatory audits;
- Works with and supports the development of the risk and compliance practice with IT management and the leadership team.
- Assists in the creation and maintenance of the information security risk register, audit requests, and third party consultant/vendor assessments.
- Assist in gathering information asset inventory, including identification and valuation, including any strategies and methodologies around loss scenarios
- Leads complex analysis, develops and generates KRIs/KPIs, validates compliance and develops actionable recommendations.
- Works with and supports the existing IT Security training platforms to identify high risk business users within the organization.
Information Security (30% of time)
- Conducts information systems controls assessments.
- Reviews and administers the Incident Response Process, and ensures updates to and ongoing assessments are coordinated as required.
- Reviews and actions the latest Indicators/Endpoints of Compromise as required, ensuring issues are addressed in a timely fashion to mitigate any potential attack(s).
- Performs the necessary technical support as required, in order to support the Corporate Security strategy and processes, such as remediation actions and/or tactics that may be deployed as a result of a security scan result.
- Documents, tracks and investigates information security events, requests, and incidents;
- Implements and reviews information security policies, guidelines, procedures, training materials, awareness campaigns, internal bulletins and portal contents.
Development, administration, and implementation of IT risk policies, procedures, guidelines and standards (20% of time)
- Supports the stakeholders in understanding and applying IT risks, security best practices and processes framework;
- Performs consultation and development of the IT objectives and requirements of the risk program;
- Partners with IT managers and team members to ensure risk and compliance issues are identified, defined, communicated, and addressed.
- Provides effective mentoring and guidance to other IT personnel and may assist in developing policy, standards and procedures.
- Collaborates in change management communications and processes, with focus on facilitating risk and compliance training for all affected staff.
Disaster Recovery & Business Continuity & Incident Response (10% of time)
- Business Continuity and Disaster Recovery program administration including conducting impact assessments, disaster recovery plans development and coordinating disaster recovery exercises;
- Ensures Business Continuity, Disaster Recovery, and Incident Response plans are current, and supporting documentation is actioned by engaging with peers and other business supports where required;
- Assists in conducting tabletop and resiliency exercises with corporate teams.
Perform other related duties and responsibilities as assigned or required.
Requirements
- Bachelor’s degree in Information Technology, Computer Science, related discipline or equivalent combination of education and experience.
Knowledge
- A minimum of 5 years of experience managing IT audits, risk and compliance is required preferably within the public sector or medium to large-sized organization;
- A security certification through an accredited organization
- Addition Information security certifications (CRISC, CISM, CGEIT, CISSP, CCSP or GIAC) are considered an asset
- Experience working with auditors and the evidence collection process
- Knowledge of regulatory and industry standards such as ISO, NIST, COBIT, GDPR and other security frameworks
- Understanding of information systems and networks and all areas of Information Security including data protection, incident management, and vulnerability management
- Experience working with Security training tools, including creating and launching phishing campaigns, and remedial training
- Knowledge of development and management of business continuity and disaster recovery planning
- Previous experience with IT systems threat/risk assessments, IT audits and regulatory compliance such as SOX and GDPR would be an asset
- Experience with cloud security controls and administration such as AWS and Azure would be an asset