Job DescriptionJob Description – Senior Security Risk Assessment Consultant (Digital Trust)Requisition ID: RQ00365
Client: Service New Brunswick (SNB)
Project: Digital Trust – Security Risk Assessment (SRA)
Location: Hybrid and Onsite - Fredericton, New Brunswick, if required
Start Date: 07/30/2026
About the OpportunityService New Brunswick (SNB) is seeking an experienced
Senior Security Risk Assessment Consultant to lead a comprehensive Security Risk Assessment (SRA) for its Digital Trust solution. The successful consultant will perform an end-to-end architectural security assessment, application security testing, mobile security testing, and penetration testing across a modern digital identity ecosystem consisting of mobile applications, cloud services, identity platforms, APIs, vendor solutions, and government systems.
This engagement requires extensive expertise in security risk assessments, application security, mobile security, cloud security, identity and access management, and OWASP security frameworks.
Requirements
Key ResponsibilitiesThe successful consultant will:
- Lead the end-to-end Security Risk Assessment (SRA) for the Digital Trust solution.
- Perform architectural risk assessments across mobile applications, cloud services, portals, APIs, vendor components, and internal government systems.
- Conduct application security testing using OWASP ASVS Level 3 methodologies.
- Perform mobile application security testing utilizing OWASP MASVS at the highest applicable testing level.
- Execute penetration testing against solution components.
- Perform static application security testing (SAST).
- Perform dynamic application security testing (DAST).
- Validate authentication and authorization controls.
- Assess identity proofing, credential issuance, credential management, credential revocation, authentication, authorization, and workflow orchestration services.
- Review integrations between Ping Identity, Microsoft Entra, AMANDA, BizTalk, cloud storage services, and Digital Trust applications.
- Assess APIs, data flows, business logic, user roles, permissions, audit logging, and integration components supporting Digital Trust.
- Evaluate end-to-end Verifiable Credential (VC) lifecycle processes including issuance, presentation, updates, revocation, and verification.
- Produce comprehensive Security Risk Assessment documentation with findings, risk ratings, recommendations, and mitigation strategies.
- Present assessment results to project stakeholders and participate in project meetings.
- Work occasional evenings or weekends as required to support assessment activities.
Mandatory Requirements (M1–M2)Candidates
must clearly demonstrate the following:
M1- Written and spoken English communication skills are mandatory.
M2- Minimum 5 years of experience conducting Security Risk Assessments.
Candidates who do not clearly demonstrate all mandatory requirements will not be considered.
Scored Requirements (S1–S4)Candidates will be evaluated based on demonstrated experience in the following areas:
S1- 3+ years conducting security assessments involving:
S2- 1+ year conducting security assessments involving:
- Identity platforms
- Authentication platforms
S3- 1+ year of experience with:
- Service New Brunswick security assessment processes, or
- Similar government security assessment methodologies.
S4- 3+ years producing Security Risk Assessment (SRA) deliverables or equivalent assessments for:
- Complex enterprise environments
- Public sector organizations
- Regulated industries
- Privacy-sensitive services.
Required Technical SkillsThe ideal candidate will possess experience with:
- Security Risk Assessments (SRA)
- Penetration Testing
- Vulnerability Assessments
- Application Security Testing
- Mobile Application Security Testing
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- OWASP ASVS Level 3
- OWASP MASVS
- OWASP security methodologies
- Secure authentication and authorization validation
- Identity and Access Management (IAM)
- Identity proofing
- Digital Identity platforms
- API security assessments
- Cloud security assessments
- Mobile security testing
- Verifiable Credentials (VC)
- Risk analysis and mitigation
- Security architecture reviews
- Enterprise integrations
- Audit logging and compliance reviews
- Technical documentation and reporting
Desired ExperiencePreference will be given to candidates with experience in:
- Ping Identity platform (PingOne Verify, PingOne DaVinci, PingOne Credentials)
- Microsoft Entra
- AMANDA (Granicus)
- Citizen Portal for AMANDA
- BizTalk integrations
- Cloud storage security
- Government Digital Identity solutions
- Public sector security programs
- Privacy-sensitive or regulated environments
- Mobile identity applications
- Government security governance and assessment methodologies.
DeliverablesThe successful consultant will be responsible for delivering:
- Vendor Security Assessment
- Penetration Testing Assessment
- OWASP ASVS Application Security Testing
- OWASP MASVS Mobile Security Assessment
- Comprehensive Security Risk Assessment documentation
- Assessment reports with recommendations
- Participation in stakeholder meetings and technical review sessions.
Reporting StructureThe consultant will report to Service New Brunswick's:
- Departmental Information Security Officer (DISO)
- Security Strategist
- Digital Trust Project Manager.
RequirementsMandatory Requirements (M1–M2) Candidates must clearly demonstrate the following: M1 Written and spoken English communication skills are mandatory. M2 Minimum 5 years of experience conducting Security Risk Assessments. Candidates who do not clearly demonstrate all mandatory requirements will not be considered. Scored Requirements (S1–S4) Candidates will be evaluated based on demonstrated experience in the following areas: S1 3+ years conducting security assessments involving: OWASP ASVS OWASP MASVS S2 1+ year conducting security assessments involving: Identity platforms Authentication platforms S3 1+ year of experience with: Service New Brunswick security assessment processes, or Similar government security assessment methodologies. S4 3+ years producing Security Risk Assessment (SRA) deliverables or equivalent assessments for: Complex enterprise environments Public sector organizations Regulated industries Privacy-sensitive services. Required Technical Skills The ideal candidate will possess experience with: Security Risk Assessments (SRA) Penetration Testing Vulnerability Assessments Application Security Testing Mobile Application Security Testing Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) OWASP ASVS Level 3 OWASP MASVS OWASP security methodologies Secure authentication and authorization validation Identity and Access Management (IAM) Identity proofing Digital Identity platforms API security assessments Cloud security assessments Mobile security testing Verifiable Credentials (VC) Risk analysis and mitigation Security architecture reviews Enterprise integrations Audit logging and compliance reviews Technical documentation and reporting Desired Experience Preference will be given to candidates with experience in: Ping Identity platform (PingOne Verify, PingOne DaVinci, PingOne Credentials) Microsoft Entra AMANDA (Granicus) Citizen Portal for AMANDA BizTalk integrations Cloud storage security Government Digital Identity solutions Public sector security programs Privacy-sensitive or regulated environments Mobile identity applications Government security governance and assessment methodologies.