IT Security TRA and C&A Analyst - Security Assessor
Friday, February 22, 2019
Tasks and Activities
- Review, analyze, and/or apply Federal, Provincial or Territorial IT Security policies, Security Assessment and Authorization processes
- Collect and review evidence and assess effectiveness of security controls. This includes confirming that the system has been properly configured, and establishing that the safeguards meet applicable standards, Conduct security testing and evaluation (ST&E) to determine if the technical safeguards are functioning correctly.
- Identify personnel, technical, physical, and procedural threats to and vulnerabilities of Federal, Provincial or Territorial IT systems;
- Calculate residual risks in accordance with the Government of Canada’s Harmonized Threat and Risk Assessment (HTRA) Methodology
- Develop reports such as: Concepts of operation, Statements of Sensitivity (SoSs), Security Requirements Traceability Matrices, and Statements of residual risks.
- Develop and deliver training material relevant to the resource category;
- Lead translation of security controls into technical specifications for stakeholders;
- Present the results of penetration tests and vulnerability assessments to stakeholders including senior or executive leadership;
- Communicate the results and recommendations for improvements to stakeholders
- Provide updates/status reporting to project team management as required.
Skills and Experience
- You must hold a valid Government of Canada Secret security clearance
- You must be legally able to work in Canada
- You must have an advanced university degree or post-secondary diploma in Information Technology, Computer Science
- You have demonstrated professional work experience transforming security controls into technical specifications.
- You have demonstrated professional work experience identifying security control requirements and completing traceability matrices.
- You have one or more of the following certifications:
- CISSP (Certified Information Systems Security Professional)
- CISA (Certified Information Systems Auditor)
- CRISC (Certified in Risk and Information Systems Control)
- CAP (Certified Authorization Professional)