Stop looking for jobs far away from home. We have daily job offers published just for you!

Information Security Officer

InfoStaff

This is a Contract position in Toronto, ON posted July 29, 2017.

Job Description

**This is a Full-Time position (not a contract). Must be authorized to work in the U.S. without sponsorship. Must be a US citizen or a green card holder. F1 OPT and Corp to Corp candidates will not be considered.**

The Information Security Officer/Advisor (ISO) is accountable to ensure that information security risks within technology development are identified, assessed and reported, appropriate controls are in place, and local procedures and activities comply with Information Security (IS) Corporate Policy and Standard, the Information Security Manual (ISM), local standards and regulatory requirements. In addition, the ISO is the center of competence for Information Security, providing advisory services, and is aligned to the lob.

Consulting and Advisory

Governance and Control

Reporting

Training and Awareness

Information Security Officer Council Member

Consulting and Advisory:

• Work closely with portfolio personnel, stakeholders, and senior management to identify Information Security related risks and controls.

• Understand business, local and Information Security strategies as they relate to the portfolio.

• Provide Information security requirements advice and counsel to portfolio personnel, project teams, and the Business ensuring alignment to IS processes and solutions.

• Lead security design of “projects” (application/infrastructure/etc) as required. Manage/facilitate Information Security Assessments (ISA) throughout the project lifecycle ensuring key risks highlighted and controls identified and implemented to mitigate risk. Assessment function must be segregated and independent from design input.

• Lead the Information Security portion of the TDEI Application and Infrastructure Health Checks as required.

• Evaluate and assess emerging security threats and vulnerabilities in portfolio and work with portfolio personnel to identify appropriate controls.

• Provide portfolio personnel guidance in understanding and responding to security incidents with appropriate stakeholders.

• Complete Information Security assessments for new and existing suppliers, including site visits and evaluation of RFP responses, where appropriate.

• In cooperation with Strategic Sourcing and Outsourcing Centre of Competency, participate as required in contract due diligence reviews for any supplier agreements involved in the portfolio.

• Provide consultation to portfolio and legal personnel in the negotiation of Information Security related contractual clauses with suppliers.

• Be an advocate for IS solutions and standards.

• Work as Information Security subject matter experts and provide expertise in regards to their support area or portfolio.

Governance and Control:

• Implement information security risk governance and control framework for the local organization that incorporates a consistent, sustainable methodology for identifying, assessing, and documenting information security risk that provides early warning of potential failure to meet information security requirements.

• Directs and monitors due diligence of information security risk processes (including ISA and Supplier assessments) and results on an ongoing basis

• Oversee and manage portfolio of Information Security Manual exceptions (ISMEs) to ensure these are current, accurate and are supported by sound resolution plans

• Complete portfolio level risk assessments

• Interprets and acts on IS reports.

• Ensure compliance to standards specific to the local organization, consistent with IS policies and guidelines, and with T&O control frameworks (eg. CMMI, ITIL) via share services (i.e. CMRP).

• Review and provide recommendations to IS policies, standards, guidelines/ processes.

• Escalate IS potential or unresolved issues to management for resolution as appropriate

Reporting:

• Consolidate, interpret and report key information security risk, trends for the portfolio and understand effectiveness of controls in managing the key risks. This includes standard and ad hoc analyses and reporting for a variety of stakeholders including: local organization, Operating Group, IS Corporate Support Area (CSA) and others as appropriate. Integrates, interprets and analyzes data to produce portfolio information security risk profile for the local organization and IS CSA, identifying potential exposures and trends.

• Identify and report IS trends by reviewing portfolio risk assessments and compliance risk reports.

• Report on portfolio of ISME’s, complete trending analysis and collaborate with other ISO’s to determine and report on aggregate risk exposure and develop and propose joint solutions.

Training and Awareness:

• Participate and facilitate communication, and training, to promote effective Information Security risk management and embed IS Risk Management controls and practices within the local organization, leveraging existing programs where available.

• Promoting awareness and knowledge of good Information Security practices in the general and specific (eg. developer) local populations, with guidance from IS CSA e.g. via training and awareness sessions, communication programs

• Assist local organizations in developing and implementing their own unit or role specific Information Security training and awareness programs as appropriate.

Information Security Officer Council Member:

• Participate in the FG Information Security Officers council.

• Consult with fellow Information Security Officers on related requirements and best practices

• Assist in dissemination and sharing of IS awareness material

• Maintain a relationship of trust and collaboration with other ISO professionals.

• Actively participate and contribute to common ISO initiatives.

Qualifications:

Knowledge:

  • Bachelor or Master Degree in Information Security or equivalent

  • Information Security certification is encouraged e.g. CISSP, CISSLP, GIAC etc., but not mandatory.

  • Previous experience as a programmer/developer

  • Experience gathering and reviewing application security requirements and working with development teams to provide Information security requirements advice and counsel, ensuring alignment to IS processes and solutions – must have

  • Experience reviewing security design / architecture for security controls – must have

  • Experience with Threat modelling

  • In depth knowledge of Information Security risk and industry best practices

  • In depth knowledge of application security and software assurance (white box testing) – must have

  • Working knowledge of web application vulnerability assessment tools such as AppScan and WebInspect

  • Strong secure coding practices, and static code analysis tools (Fortify)

Skills:

  • Secure Coding

  • Static code analysis

  • Programming

  • QA

  • Reviewing application security design / architecture for security controls throughout the lifecycle of an application (web, mobile)

  • Agile methodology

  • Threat modelling

  • Advanced analytic skills

  • Highly developed communication skills, both verbal and written

  • Strong Relationship Management skills

  • Problem solving

  • Negotiation/ mediation

  • Project Management