Lead Analyst, IT Security Risk and Compliance

University of Ottawa•Ottawa, ON

3d•CA$107,503 - CA$134,379•Hybrid

About The Position

Reporting to the Chief Information Security Officer, the incumbent is responsible for designing and implementing an overall information security risk and compliance management process for the University. The incumbent will manage the process of gathering, analyzing, and assessing the current and future information security and privacy threats to the University. He/she will focus on delivering the objectives within the University’s information security strategy as well as enhancing a security program that identifies and addresses security and privacy risks and requirements. The incumbent works with various stakeholders across the University to drive the information security agenda, ensuring it meets complex compliance requirements, as well as maintaining, monitoring, and promoting information security best practices. He/she acts as a specialist with a deep knowledge of various security risk management and compliance frameworks and plays an integral role ensuring security controls and requirements are incorporated into all information technology projects and initiatives.

Requirements

University degree in Computer Science or Information Technology or a related field or an equivalent combination of education and experience.
Minimum of seven (7) years of information security, IT audit and/or IT Risk Management experience.
Expert understanding of NIST and ISO Risk Management Frameworks, ITSG-33, NIST CSF, ISO 27002, COBIT, SOC 2, and other relevant frameworks.
Experience with security assessments (AI, Cloud, SaaS, etc.).
Experience with risk discovery and assessment, as well as appropriate mitigation and controls.
Good knowledge of the latest trends in information security and risk management, e.g. evolving technologies, cyber risk mitigation, etc.
Experience of auditing IT environments, either through an internal or external audit role.
Broad knowledge of IT architecture and underpinning technologies including but not limited to: identity and access management, cloud hosting providers, database administration.
Experience designing and supporting large-scale, end-to-end information security systems in a complex, both on-premises and cloud hosted, multi-platform environment.
Knowledge of security technologies such as various monitoring and log aggregation platforms, penetration testing frameworks, operating systems, vulnerability scanners, and endpoint security solutions.
Leadership skills, ability to coach and mentor other IT professionals.
In-depth analytical skills for complex problem solving – identification, diagnosis, resolution.
Experience in project management and meeting strict deadlines.
Good communication skills to interact with team members, support personnel, and provide technical guidance and expertise to clients and management.
Ability to work a flexible schedule including occasional weekends and evenings.
Bilingual: French and English (spoken and written).

Nice To Haves

Knowledge of the University’s information technology and security policies, procedures and standards would be considered an asset.
CISSP or CRISC or other information security certifications is an asset.

Responsibilities

Manages the process of gathering, analyzing, and assessing the current and future threat landscape.
Conducts information security risk assessments across the organization at suitable intervals.
Ensures key risks are understood, communicated, and tracked on the risk register.
Analyzes the financial, reputational, and legal impacts to the University when information security risks occur and provides guidance and recommendations on how to best mitigates these risks.
Manages the process of ensuring information technology projects, initiatives, and external vendor contracts are compliant with the established information security policies, standards, and procedures of the University.
Collaborates closely with stakeholders to ensure security is factored into the evaluation, selection, installation, and configuration of hardware, software, and applications.
Conducts periodic reviews of vendor environments to ensure information security controls continue to remain compliant with established contracts.
Responsible for monitoring and reporting on various information security risk and compliancy metrics.
Provides regular updates to key stakeholders and executive leadership offering a realistic overview of risks and threats throughout the organization.
Create and keep up to date new and existing information security policies and procedures to ensure operating efficiency and regulatory compliance.
Coordinates the development and implementation of technical controls and configurations to align with security policies and legal, regulatory, and audit requirements.
Responsible for ensuring policies and procedures are enforced in a consistent manner across the University.
Act as a subject matter expert in order to provide support, education, and training to staff with the goal of building risk awareness within the University.
Actively participating by providing inputs and content towards the University’s information security awareness program.
Provide advisory support to operational teams in strengthening the University’s overall information security posture.
Periodically review audit trails, system logs, and other monitoring data sources to ensure they are in compliance with policies, standards and audit requirements.
Evaluate and documents requests for exceptions to policies, ensuring sufficient mitigating controls are in place.
Ensure that internal and external audits are supported in development of an annual strategic audit plan.
Continually review the operational components of the security incident management processes to ensure they comply with the established incident response plan.
Formally documents risk assessment results and provide regular updates to management.