Security Specialist (Threat Risk Assessment)
55 John St. Toronto, ON
Position: Security Specialist (Threat Risk Assessment)
Duration: 12 months
Location: Mostly remote
The Security Specialist (Threat Risk Assessment) is responsible for:
• Determining the scope of each TRA they are assigned;
• Planning and managing all deliverables required in order to conduct TRAs on each assigned application and/or system:
- Deliverables will be reviewed for quality and completeness and signed off by City staff prior to moving to the project' s next phase;
• Conducting the TRA for the assigned projects, following the Harmonized Threat and Risk Assessment Methodology or equivalent;
• Developing and implementing a TRA Work Plan, including but not limited to:
- A detailed schedule, including milestones, critical activities and dependencies for the completion of the Specialist' s work:
- The Specialist' s proposed timelines must be approved by the Client, including determination of an agreed-upon deliverable date;
- Identifying employees and assets to be safeguarded in a Statement of Sensitivity;
- Determining threats to employees and assets in Canada and abroad, and assessing the likelihood and impact of threat occurrence;
- Assessing risks based on the adequacy of existing safeguards and vulnerabilities;
- Recommending any supplementary safeguards to reduce the risk to an acceptable level;
• Providing weekly status and progress report updates to the identified Client staff.
• Completing relevant Information Security-related work assigned by the relevant Client staff (such as conducting meetings/interviews);
• Planning and Coordinating Vulnerability Assessment;
• Providing feedback on findings from vulnerability assessment
• Assisting with the creation of risk treatment plans,
• Providing advice on mitigation safeguards, processes and security best practices.
• Completion and submission of a Final TRA report for each system assessed:
- This report must be approved by the City' s Risk Management and Project team prior to the completion of this assignment.
Qualifications, Experience, Technical Capabilities & Sample TRA Reports
Qualifications and Experience:
1) Knowledge of Formal Threat Risk Assessment (TRA) approaches such as Harmonized Threat and Risk Assessment (HTRA) methodology;
2) Experience in delivering written TRA reports;
3) Knowledge of identifying assets and risks relating to work management systems, cloud computing, IT/Business processes;
4) Demonstrated experience conducting TRAs on complex projects in the public sector;
5) Minimum of six years of experience in the information security and/or risk management field;
6) Extensive experience applying information security policies, best practices, standards and security controls within an environment such as COBIT, ISO27001;
7) Minimum of five years of experience identifying assets and valuation, preparing statement of sensitivity, creating threat assessment tables, vulnerability assessment tables, assessing residual risk and providing recommendations relating to TRA;
8) Minimum of six years of experience in Web Application Security, vulnerability assessment/penetration test activities and mitigation strategy development;
9) Superior written and oral communication skills with technical and business audiences;
10) Timely with deadlines, team player and organized as well as able to conduct information gathering sessions and interviews with stakeholders;
11) Is currently a holder of two (2) or more security industry specific certifications such as, but not limited to, CISSP, CRISC, CISA.
1) Demonstrated understanding of technical and non-technical vulnerabilities
2) Knowledge of Information Technology concepts and processes (Such as Cloud, SaaS) that impact the protection of personal information, including (but not limited to) internet tools, system interfaces, information security, information architecture and data flows.
3) Well-developed research, analytical and problem-solving skills;
4) Understanding of vulnerability assessments and penetration testing lifecycle;
5) Understanding of Risk remediation and risk treatment.
Sample TRA Reports:
Candidates must provide a copy of two (2) recent TRA report SAMPLES (or comparable analysis into security issues, threat identification, TRA Work Plan, Recommendations and risk management strategies) with their resume, to demonstrate their writing skills and experience conducting Threat Risk Assessment analysis. At least one should be an Application centric TRA. The candidate must be the principal author in the reports provided. If the candidate is not the principal author, please provide an explanation as to their role in the report. The TRA report samples can be redacted to maintain confidentiality of the content.