Role Description :
- The IT Risk and Compliance Management Specialist will support the delivery of IT Security and Risk Management activities for a government IT project involving the deployment of solutions in a new Microsoft Azure cloud environment.
- The resource will collaborate with IT teams, business stakeholders, and subject matter experts to ensure compliance with applicable security standards, policies, and risk management requirements.
Responsibilities :
Review, analyze, and apply the Government of Canada’s Medium Profile for Cloud (PBMM) and Cloud Guardrails to IT systems during Security Assessment and Authorization (SA&A) activities.Review, analyze, and apply applicable government security policies and standards to IT systems as they relate to SA&A.Identify personnel, technical, physical, and procedural threats and vulnerabilities within IT networks and security architecture.Develop, review, and analyze security-related documentation, including :Data security analysis;Contractual security schedules;Statements of Sensitivity (SoS);Threat and Risk Assessments (TRA);Vulnerability assessments;Risk briefings.Conduct SA&A activities, including :Developing SA&A plans;Verifying that security safeguards meet applicable control frameworks, policies, and standards;Validating security requirements across project lifecycle stages;Confirming proper configuration of systems and implementation of safeguards;Conducting security testing and evaluation (ST&E) to verify functionality of technical safeguards;Assessing residual risks to determine if they meet acceptable levels;Reviewing security documents to ensure compliance with control frameworks, policies, and standards, and identifying conditions for approval.Develop and document approval processes for key business stakeholders, including interim and final go-live approvals.Collaborate with subject matter experts to configure and manage Microsoft Azure cloud infrastructure to meet security and compliance requirements.Provide training to IT executives, IT leaders, and business stakeholders on IT Risk and Compliance frameworks, processes, and responsibilities.Establish and maintain IT Risk and Compliance reporting mechanisms, including periodic reporting to executives and business stakeholders.Requirements
Skill Requirements / Qualifications :
The Resource must have the following minimum qualifications or experience :
Mandatory Skills and Qualifications :
Education :Bachelor’s degree in Computer Engineering, Computer Science, Commerce, or an equivalent field.Experience :Minimum of 10 years of experience as an IT Risk and Compliance Management Specialist.Minimum of 5 years of experience leading an IT Risk and Compliance Management function.Technical Knowledge :Familiarity with security, IT process, and control frameworks such as COBIT, ISO 27002, ITIL, and TOGAF.Hands-on experience with Microsoft Azure cloud infrastructure configuration and management.Experience implementing the Government of Canada’s Medium Profile for Cloud (PBMM) and Cloud Guardrails.Experience with the Government of Canada’s Security Assessment and Authorization (SA&A) process.Skills :Strong analytical and investigative skills to address complex security and risk issues.Excellent organizational, interpersonal, and written communication skills.Demonstrated ability to manage multiple priorities under strict deadlines.Ability to handle highly confidential matters with discretion.Ability to develop and deliver training programs to technical and non-technical stakeholders.Preferred Skills and Qualifications :
Experience applying the Government of Canada’s PBMM and Cloud Guardrails to secure cloud deployments.Hands-on experience implementing safeguards and risk mitigation strategies for sensitive IT systems.Experience with business impact analysis and risk evaluation in regulated environments.Knowledge of industry standards and best practices for cloud security, particularly in Microsoft Azure.Familiarity with contractual security schedules, data security analysis, and technical security documentation development.Experience conducting security testing and evaluation (ST&E) and documenting residual risk assessments.Proven experience presenting IT risk reports to executives and delivering actionable recommendations.