Description

About the job

JOB INFORMATION

Requisition ID: 9327

Number of Vacancies: 1

Department: Information Technology Services (20000014) - Information Security Office (30000033)

Salary Information: $88,306.40 - $110,401.20

Pay Scale Group: 09SA

Employment Type: Regular

Weekly Hours: 35 Off Days: Saturday and Sunday Shift:

Posted On: April 8, 2024

Last Day to Apply: April 21, 2024

Reports to: Director, Cybersecurity Risk Management

Career Opportunity

A great opportunity within the Information Technology Services to work on Cybersecurity Initiatives.

What You Will Do

Reporting to the Director, Cybersecurity Risk Management, the Analyst Cybersecurity Risk Management is responsible for reducing information security and cybersecurity risks to the Information Technology (IT) of the TTC. The incumbent supports the risk mitigation efforts through conducting risk assessments, establishing and maintaining governance and compliance standards, creating, communicating, and enforcing information security policies and providing recommendations on risk management strategies.

The incumbent executes and administers security solutions/systems consistent with regulations and established frameworks and may lead relevant implementation projects and is also responsible for promoting cybersecurity awareness throughout the TTC.

The incumbent is also responsible for promoting cybersecurity awareness throughout the TTC.

You will be responsible for Security Risk Assessment and Governance and Compliance where you will conduct comprehensive security risk assessments of new and existing information systems, networks and infrastructure to identify potential vulnerabilities, threats, and risks, evaluate and benchmark TTC’s cybersecurity capabilities in line with NIST Cybersecurity Framework and develop plans to prioritize actions and investments required to improve capabilities to industry best practices recommend controls to mitigate security risks identified through the risk assessment process and communicate risk findings that are clear and actionable by relevant stakeholders, conduct Threat Risk Assessment (TRA) (e.g. Harmonized Threat and Risk Assessment (HTRA) methodology) and populate Risk Register with ongoing risks to the organization, develop, enhance and communicate security governance frameworks policies, standards and procedures across the TTC, define and operationalize data classification standard to classify and label data and files and define security controls baseline for classified data, and esign and document technical, administrative, and physical controls to ensure the business demonstrates compliance, ensuring that the TTC meets both the requirements and intent of its regulatory and compliance obligations.

You will also be responsible for Third Party Supplier and Vendor Risk Management where you will perform 3rd party / vendor risk assessments to ensure supply chain risk is managed throughout the supplier's lifecycle, 3rd party due diligence (initial risk assessment before commencement of services and on-going risk-based monitoring) for adherence to TTC security standards and articulate results of the final assessments to business stakeholders, project sponsors, program managers, and other internal parties.

In addition to the above work collaboratively with cross-functional teams, including IT, OT, legal, compliance, and business units, to ensure effective risk management and security governance, support, develop, and administer GRC systems for Information Security and responsible for treating passengers and/or employees with respect and dignity and ensuring the needs of passengers or employees with disabilities are accommodated and/or addressed (if applicable and within their area of responsibility) in accordance with the Ontario Human Rights Code and Related Orders so that they can fully benefit from the TTC as a service-provider and an employer and perform related duties as assigned.

What Qualifications Do You Bring?

• University degree in Computer Science, Information Security, Cybersecurity, or a related field as well as several years of Cybersecurity risk management experience or the equivalent combination of education and experience.
• Several years of relevant Cybersecurity experience in Governance, Risk and Compliance
• Several years of Information Technology experience in Microsoft and Linux platforms
• Experience with security frameworks (such as NIST CSF, ISO/IEC 27001/27002, and SOC2) and creation of policies, standards and procedures
• Experience with Privacy and Security requirements such as PHIPA, PIPEDA, MFIPPA, Canada’s antispam legislation (CASL), ISO IEC 27001, ISA IEC 62443, PCI DSS
• Experience in applicable information security management, governance, and compliance principles, practices, laws, rules and regulations
• Strong understanding of Information technology systems and processes, network infrastructure, data architecture, data processes, and protocols
• Excellent written & verbal communications skills (communicating at all levels with internal & external stakeholders) with fastidious attention to detail
• Strong decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate one
• Strong analytical, problem-solving and troubleshooting skills
• An understanding of organizational mission, values, goals and consistent application of this knowledge
• Ability to work in a fast-paced environment managing multiple priorities with proven time management skills.
• Any of the following certifications will be an asset:
• Certified in Risk and Information Systems Control (CRISC)
• Certified Information Systems Auditor (CISA)
• GIAC Systems and Network Auditor (GSNA)
• Certified Information Systems Security Professional (CISSP)

What We Offer

• Commitment to creating a diverse, equitable and inclusive culture that promotes a sense of belonging and represents and reflects the needs of the communities we serve.
• A flexible, hybrid work approach that allows colleagues to find balance between their professional and personal lives and making the most of the benefits of working remotely and purpose-driven in-person collaboration opportunities.
• One of the great benefits of being a full-time TTC employee is becoming a member of TTC defined pension plan.
• A comprehensive package that covers health, dental, vision and more.
• Support for professional development opportunities for all colleagues through a broad range of learning programs that include in-person and online training, leadership development, and support for colleagues’ well-being.

Commitment to EDI

The TTC is committed to upholding the values of equity, diversity, anti-racism and inclusion in the delivery of its services and in its workplaces. The TTC is committed to fostering a diverse workforce that is representative of the communities it serves at all levels of the organization, and supports an inclusive environment where diverse employee and community perspectives and experiences bring value to the organization. The TTC encourages applications from all applicants, including members of groups with historical and/or current barriers to equity, including but not limited to, Indigenous, Black and racialized groups, people with disabilities, women and people from the LGBTQIA+ community. The TTC values and supports an inclusive and barrier-free recruitment and selection process. Accommodations for applicants are available upon request throughout the recruitment and selection process, including for those who identify as having a disability. Please contact Talent Management at (416) 393-4570. Any information received related to an accommodation will be addressed confidentially.

The TTC’s policy prohibits relatives of current TTC employees from being hired, assigned, transferred or promoted into positions, where there is a conflict of interest due to a relationship. Should you be selected for an interview, you will be required to disclose the name, relationship and position of any relative who is a current TTC employee.

We thank all applicants for their interest but advise only those selected for an interview will be contacted.