Security Governance Analyst

About The Position

Requirements

• Completion of a degree in Computer Science, Information Technology (IT), or a related discipline – or a combination of education, training and experience deemed equivalent.
• Demonstrated experience developing and implementing system security controls, remediation of security issues and identifying and managing threats to the achievement of business objectives; project management experience; and broad-based experience in the CISSP security domains.
• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate cybersecurity and risk-related concepts to technical and non-technical audiences at various hierarchical levels, ranging from board members to technical specialists.
• Experience in security architecture requirements analysis and impact assessment in the context of security architecture. Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and the NIST Cybersecurity Framework
• Advanced knowledge and experience with agile methodology and principles in the IT environment
• Experience with cloud services (Software-as-a-Service, Platform-as-a-Service)
• Project management and interpersonal skills to coordinate complex projects to meet approved timelines.

Nice To Haves

• Technical certifications such as CISSP, CCSP, CISA or CISM are an asset. 

Responsibilities

• Participates and provides input into the development and implementation of information security policies, standards, processes, and procedures.
• Support risk identification & assessment, response & mitigation, control monitoring and reporting 
• Reviewing and support information system change requests by assisting with risk assessment prior to implementation to identify new sources of risk or elevation in the severity of currently identified risks.
• Gathering and preparing data for reporting security service performance metrics that includes status of information systems, services obtained from external providers, and actions for improvement.
• Supports the Metrolinx Payment Card Industry (PCI) program by completing tasks as required (i.e. data compilation and reporting)
• Supports and acts on remediation plans and responses to internal and external audit findings. (PCI, OAG, General Controls Audit, Internal Audit, Critical Infrastructure Protection, etc.)
• Participating and contributing to benchmarking exercises for comparison to industry standards (ISF, ISO, NIST) and industry peers in the government and transportation sectors.
• Support Cybersecurity Awareness Training through training module uploads, training completion tracking.
• Interact with internal and external audit partners on a periodic basis to coordinate and monitor IT responsibilities for the completion of compliancy certifications. 
• Liaising with Managed Security Service Providers (MSSPs) and participating in the design, developing, deployment, and support of information security systems and solutions (e.g. authentication, key management, Intrusion Prevention Systems (IPS), Security Information and Event Management (SIEM), antimalware, etc.)