Senior IT Risk Management Analyst

 

Status: Full time, indefinite

Location: Ottawa, Ontario or Toronto, Ontario (hybrid)

Closing date: November 22, 2024

Salary range: $ 97,000 to $121,000 per year

CADTH is now Canada’s Drug Agency — a pan-Canadian health organization. We are an independent, not-for-profit organization headquartered in Ottawa, with a satellite office in Toronto. Created and funded by Canada’s federal, provincial, and territorial governments, we drive better coordination, alignment, and public value within Canada’s drug and health technology landscape. We provide Canada’s health system leaders with independent evidence and advice so they can make informed drug, health technology, and health system decisions, and we collaborate with national and international partners to enhance our collective impact.

We are proud to be a 2024 National Capital Region Top Employer. This recognition celebrates our dedication to fostering a work environment that nurtures growth; innovation; and inclusion, diversity, equity, and accessibility (IDEA). It reaffirms our ongoing efforts to create an outstanding workplace where our employees thrive and feel valued.

Most of our employees participate in a hybrid workspace arrangement that allows for flexibility and enhanced work-life balance. We believe in the positive impact of in-person collaboration and the importance of team building. Added consideration is given to qualified candidates who live near our offices and can participate in a hybrid arrangement. Those applying must be located in Ontario, except in rare circumstances where the employment position is remote.

 

Primary Focus

The Senior IT Risk Management Analyst is responsible for identifying, assessing, and mitigating risks to our information systems and data. This role involves conducting thorough cybersecurity and information systems risk assessments for existing and future solutions, developing and implementing mitigation strategies, and ensuring compliance with relevant cybersecurity regulations and standards. The Senior IT Risk Management Analyst will work closely with various internal partners to ensure that our information security policies and practices are effectively implemented and maintained, including performing security audits, monitoring potential threats, and responding to security incidents.

 

What do the daily responsibilities look like?

On any given day, the Senior IT Risk Management Analyst will be responsible for several areas, as follows.

 

IT Risk Management:

• Conducting comprehensive risk assessments of information systems and data processes to identify potential threats and vulnerabilities

• Evaluating the impact of identified risks on IT business operations

• Developing, prioritizing, implementing, and monitoring risk mitigation strategies and controls to protect digital information assets

• Maintaining a risk register and regularly updating it with new risks and mitigation measures

• Working with business units to perform business impact analyses (BIAs) and develop risk treatment plans

• Completing threat risk and management as well as privacy impact assessments

• Working closely with the Strategy and Governance team to ensure alignment with corporate risk management and business continuity planning activities

• Assessing and managing risks associated with third-party vendors and service providers, and developing and maintaining a vendor risk management program, including policies and procedures for onboarding and monitoring vendors

• Ensuring vendor contracts include appropriate security requirements and service level agreements.

 

Policy and Procedure Development:

• Leading the development, implementation, and enforcement of information security policies, standards, and procedures

• Ensuring policies and procedures are aligned with regulatory requirements, industry best practices, and organizational goals

• Reviewing and updating security policies regularly to address emerging threats and changing business needs.

 

Incident Response:

• Leading the response to information security incidents, including investigation, containment, eradication, and recovery

• Developing and maintaining incident response plans, ensuring they are tested and updated regularly

• Coordinating with internal and external partners during security incidents to ensure timely and effective resolution

• Preparing detailed incident reports and post-incident analyses to identify lessons learned and improve response processes.

 

Security Awareness and Training:

• Partnering with the People and Culture team to source, develop, and deliver information security awareness training programs (presentations, videos, newsletters) for employees at all levels

• Conducting regular internal phishing simulations and other security exercises to assess and improve employee readiness

• Staying current with emerging threats, vulnerabilities, and security technologies through ongoing education and professional development
• Recommending and implementing improvements to the information security program based on industry trends and best practices

• Collaborating with other business units to identify opportunities for enhancing overall security posture.

 

Audit and Compliance:

• Ensuring compliance with relevant regulations, such as the Personal Health Information Protection Act (PHIPA), Freedom of Information and Protection of Privacy Act (FIPPA), Personal Information Protection and Electronic Documents Act (PIPEDA), and Payment Card Industry Data Security Standard (PCI-DSS)

• Developing and maintaining documentation to support audit and compliance activities

• Working with auditors to address findings and implement corrective actions.

 

 

Is this the right role for you?

 

The Senior IT Risk Management Analyst will likely have:

• a postsecondary education in Information Technology, Cybersecurity, or another related field, coupled with professional experience performing work of a similar nature that is normally attained over 5 years; an equivalent combination of education and experience may be considered

• professional certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), or equivalent certification issued by the Information Systems Audit and Control Association (ISACA)

• strong knowledge of risk assessment methodologies, security frameworks (such as NIST, ISO 27001), threat intelligence, advanced security technologies, and regulatory requirements

• experience leading incident response, security audits, and compliance management

• extensive experience conducting self-assessment of IT risks and cyber security risks

• familiarity with data privacy laws and regulations

• the ability to work independently and as part of a team in a fast-paced environment

• excellent analytical, problem-solving, and communication skills

• advanced writing skills to author relevant policies, procedures, and training material.

 

 

What will set you apart?

 

The following are considered asset qualifications:

• experience with security tools such as SIEM, IDS/IPS, DLP, and vulnerability management systems
• knowledge of cloud security and experience with cloud platforms such as AWS, Azure, or Google Cloud
• advanced skills in using risk management software and tools
• experience developing and delivering security awareness training programs
• fluency in French.

 

 

What’s in it for you?

 

At Canada’s Drug Agency, you will find:

• a team-focused, supportive, and inclusive work environment
• a competitive compensation package, including participation in the Healthcare of Ontario Pension Plan (HOOPP) — 1 of Canada’s largest and most successful defined benefit pension plans
• a comprehensive benefits package for employees and dependents, including health, dental, life, and travel insurance; a health spending account; and an employee assistance program
• paid time off (including a minimum of 4 weeks of vacation leave as well as sick leave and life leave, a December holiday closure, and other leave options)
• opportunities to work with and learn from highly specialized professionals
• personal growth through professional development opportunities, corporate training, and support for continuing education
• a friendly culture that supports community engagement
• the opportunity to make a difference for people living in Canada and effect positive change.

To apply for this position, visit the Careers section of our website. Your résumé must clearly identify how your skills and experience relate to the requirements of this role. Applications for this opportunity may be used for future staffing vacancies. We thank you for your interest; however, only those candidates selected for further consideration will be contacted. Please visit our website regularly for new opportunities.

At Canada’s Drug Agency, we actively celebrate, support, and flourish through our differences. Our employees are people with different strengths, experiences, and backgrounds who share a passion for building the future of health care. We demonstrate a commitment to IDEA through continuous training, modelling inclusive behaviours, and proactively managing biases. We highly encourage all qualified applicants to apply, including people of all places of origin and religions, people with disabilities, people who are neurodivergent, people who are Black or racialized, Indigenous people, women, and people from the 2SLGBTQ+ community. We also provide accommodations during all phases of the recruitment process. If you require any accommodations during the recruitment process, please let the Talent Acquisition team know when they contact you. We will work with you to meet your needs.

Please note that, as a condition of employment, successful candidates will be required to complete a confidential pre-employment background check, including criminal, employment, and educational verifications.

 

Candidates must be legally eligible to work in Canada. We regret that we are unable to sponsor employment visas at this time.

 

#LI-Hybrid