IT Risk

Status: Full time, indefinite

Salary range: $ 97,000 to $121,000 per year

CADTH is now Canada’s Drug Agency — a pan-Canadian health organization. We are an independent, not-for-profit organization headquartered in Ottawa, with a satellite office in Toronto. Created and funded by Canada’s federal, provincial, and territorial governments, we drive better coordination, alignment, and public value within Canada’s drug and health technology landscape.

Primary Focus

The Senior IT Risk Management Analyst is responsible for identifying, assessing, and mitigating risks to our information systems and data. This role involves conducting thorough cybersecurity and information systems risk assessments for existing and future solutions, developing and implementing mitigation strategies, and ensuring compliance with relevant cybersecurity regulations and standards.

• Conducting comprehensive risk assessments of information systems and data processes to identify potential threats and vulnerabilities
• Evaluating the impact of identified risks on IT business operations
• Developing, prioritizing, implementing, and monitoring risk mitigation strategies and controls to protect digital information assets
• Maintaining a risk register and regularly updating it with new risks and mitigation measures
• Working with business units to perform business impact analyses (BIAs) and develop risk treatment plans
• Completing threat risk and management as well as privacy impact assessments
• Working closely with the Strategy and Governance team to ensure alignment with corporate risk management and business continuity planning activities
• Assessing and managing risks associated with third-party vendors and service providers, and developing and maintaining a vendor risk management program, including policies and procedures for onboarding and monitoring vendors
• Ensuring vendor contracts include appropriate security requirements and service level agreements.

Policy and Procedure Development:

• Leading the development, implementation, and enforcement of information security policies, standards, and procedures
• Ensuring policies and procedures are aligned with regulatory requirements, industry best practices, and organizational goals
• Leading the response to information security incidents, including investigation, containment, eradication, and recovery
• Developing and maintaining incident response plans, ensuring they are tested and updated regularly
• Coordinating with internal and external partners during security incidents to ensure timely and effective resolution

Security Awareness and Training:

• Partnering with the People and Culture team to source, develop, and deliver information security awareness training programs for employees at all levels
• Conducting regular internal phishing simulations and other security exercises to assess and improve employee readiness
• Staying current with emerging threats, vulnerabilities, and security technologies through ongoing education and professional development
• Recommending and implementing improvements to the information security program based on industry trends and best practices

Audit and Compliance:

• Ensuring compliance with relevant regulations, such as the Personal Health Information Protection Act (PHIPA), Freedom of Information and Protection of Privacy Act (FIPPA), Personal Information Protection and Electronic Documents Act (PIPEDA), and Payment Card Industry Data Security Standard (PCI-DSS)
• Developing and maintaining documentation to support audit and compliance activities
• Working with auditors to address findings and implement corrective actions.
  • a postsecondary education in Information Technology, Cybersecurity, or another related field, coupled with professional experience performing work of a similar nature that is normally attained over 5 years; an equivalent combination of education and experience may be considered
  • professional certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), or equivalent certification issued by the Information Systems Audit and Control Association (ISACA)
  • strong knowledge of risk assessment methodologies, security frameworks (such as NIST, ISO 27001), threat intelligence, advanced security technologies, and regulatory requirements
  • experience leading incident response, security audits, and compliance management
  • extensive experience conducting self-assessment of IT risks and cyber security risks
  • the ability to work independently and as part of a team in a fast-paced environment
  • excellent analytical, problem-solving, and communication skills
  • advanced writing skills to author relevant policies, procedures, and training material.
    • a team-focused, supportive, and inclusive work environment
    • a competitive compensation package, including participation in the Healthcare of Ontario Pension Plan (HOOPP)
    • a comprehensive benefits package for employees and dependents
    • paid time off (including a minimum of 4 weeks of vacation leave as well as sick leave and life leave)
    • opportunities to work with and learn from highly specialized professionals
    • personal growth through professional development opportunities and support for continuing education
    • the opportunity to make a difference for people living in Canada and effect positive change.

    To apply for this position, visit the Careers section of our website.