Risk and Compliance Specialist 0161

• Coordinate and perform risk assessments against a wide variety of inputs.
• Analyzes data from various sources to identify remediation of risks.
• Interprets policies, legislation and standards to adequately provide advice for management and executives.

• Experience interpreting requirements from those standards and translating them into actionable implementations
• Strong understanding of internal control frameworks, control mappings, and scoping
• Familiar with a broad range of technical concepts: logical access control, agile development process, secure coding principles, security architecture, information security, network security, and privacy Expertise in gap analysis, remediation, control design and risk assessments
• Exceptional verbal and written communication skills

• Experience with GRC (Governance, Risk, Compliance) tools is a plus

• Lead security and vendor risk assessments, identifying risks and gaps, and developing mitigation strategies for third-party vendors.
• Conduct detailed assessments of third-party vendors’ security domains, communicate findings, prepare regular reports and updates to management and stakeholders.
• Develop and implement cybersecurity governance frameworks, policies, and procedures in collaboration with cross-functional teams.
• Provide support for audit, compliance, and regulatory requests. Precise and thorough documentation and analysis are essential for effective security auditing and compliance efforts.
• Collaborate with internal teams and vendors to develop cybersecurity requirements for new solutions, ensuring alignment with security policies and standards.
• Work with other team members to develop and align with cybersecurity requirements for solutions as required
• Work with project teams to recommend and implement security controls to address identified risks.
• Work with Enterprise Architecture, Solution Delivery, Security and Operations teams as part of a large program/project team to ensure security solutions and meet security compliance and security policies and standards
• Identify requirements for policies and standards, and work with relevant teams in creation, development, review and approval
• Act as a cybersecurity resource for new and upcoming project-based detail work
• Work with project teams to identify and recommend security controls to remediate security risks and issues
• Ongoing compliance work related to regulatory requirements and/or compliance to Metrolinx standards
• Develop the security process, procedure, governance artifacts and security controls within the Cybersecurity Risk Management and Governance/Compliance Programs.
• Assist with security audits and threat/risk assessments to ensure compliance with security policies, standards and procedures, and work with business/technical/operational areas in taking corrective actions on any identified security exposures
• Provide advice, risk assessment, recommendations and technical assistance in implementing security controls for projects
• Communicate regularly with cybersecurity teams, internal stakeholders, project teams and representatives from various functional teams, including escalating any matters to senior team members that require additional analysis
• Support the implementation of security principles, policies, and standards to align with industry best practices, ensuring security controls are integrated into system development, deployment, and operation

• A minimum of seven (7+) years of experience in information security. Including working with large security projects
• Strong communication, interpersonal and presentation skills for engaging with diverse stakeholders
• Expertise in security governance, risk management, and compliance, including developing road maps, policies, standards, procedures and processes
• Proven experience in contractual security requirements and third-party risk management through RFP processes and vendor evaluations throughout procurement life cycle
• Ability to work in cross-functional teams, communicating complex technical information to all levels of the organization, including the leadership team
• Proficient in cybersecurity risk management and third-party risk management tools (e.g., ServiceNow, OneTrust, Audit Board).
• Experience with development of security processes, procedures and standards documentation
• Strong knowledge of industry standards and regulations such as PCI-DSS, NIST, ISO 27001 and the ability to ensure compliance
• Strong time management skills and the ability to prioritize project work and ongoing responsibilities
• Self-motivated with the ability to work independently in a fast-paced environment in a fast-paced environment
• Proficiency with standard Microsoft Office tools such as Word, Excel, PowerPoint, PowerBI and Visio

• A current security designation (CISSP, CISM, CCSP or CISA)

• 7+ years' Leading security and vendor risk assessments, identifying risks and gaps, and developing mitigation strategies for third-party vendors.
• 7+ years' Developing and implementing cybersecurity governance frameworks, policies, and procedures in collaboration with cross-functional teams.
• 7+ years' Collaborating with internal teams and vendors to develop cybersecurity requirements for new solutions
• 7+ years' Developing the security process, procedure, governance artifacts and security controls within the Cybersecurity Risk Management and Governance/Compliance Programs.
• 7+ years' experience in contract negotiation with procurement and legal teams through RFP processes and vendor evaluations throughout procurement life cycle
• 7+ years' experience knowledge of industry standards and regulations such as PCI-DSS, NIST, ISO 27001
• 7+ years' experience facilitating cybersecurity awareness training

Foilcon