IT Security Tra and C&a Analyst

**Company Description**

ADGA requires the services of an Information Technology Security TRA and C&A Analyst to work on the Identity Credential and Access Management (ICAM) team that is developing an identity solution for small departments and agencies (SDA) in the Government of Canada. The team requires an IT Security TRA and C&A Analyst to assist them in preparing for a Security Assessment of the new architecture, which leverages components of the legacy ICAM solution. The objective of the Security Assessment would be for the new service to gain Authority to Operate on an Enterprise basis with an acceptable level of risk. The ICAM team has identified that the system, once in place, will need to satisfy Protected B - Medium Integrity, Medium Availability (PBMM) security requirements.

The IT Security TRA and C&A Analyst’s responsibilities will include, but are not limited to, the following:

- Identifying threats to, and vulnerabilities of operating systems (such as MS, Unix, Linux, and Novell), and wireless architectures.
- Identifying personnel, technical, physical, and procedural threats to and vulnerabilities of Federal, Provincial or Territorial IT systems.
- Developing reports such as:

- Data security analysis,
- Concepts of Operation,
- Statements of Sensitivity (SoSs),
- Threat assessments,
- Privacy Impact Assessments (PIAs),
- Non-technical Vulnerability Assessments,
- Risk assessments,
- IT Security threat, vulnerability and/or risk briefings.
- Conducting Certification activities such as:

- Developing Security Certification Plans, verifying that the security safeguards meet the applicable policies and standards,
- Validating the security requirements by mapping the system-specific security policy to the functional security requirements, and mapping the security requirements through the various stages of design documents, verifying that security safeguards have been implemented correctly and that assurance requirements have been met.
- Confirming that the system has been properly configured and that the safeguards meet applicable standards, conduct security testing and evaluation (ST&E) to determine if the technical safeguards are functioning correctly,
- Assessing the residual risk provided by the risk assessment to determine if it meets an acceptable level of risk.
- Conduct Accreditation activities such as a review of the certification results in the design review documentation by the Accreditation Authority to ensure that the system will operate with an acceptable level of risk and that it will comply with the departmental and system security policies and standards and identify the conditions under which a system is to operate (for approval purposes). This may include the following types of approvals:

- Developmental approval by both the Operational and the Accreditation Authorities to proceed to the next stage in an IT system's life cycle development if sensitive information is to be handled by the system during development.
- Operational written approval for the implemented IT system to operate and process sensitive information if the risk of operating the system is deemed acceptable, and if the system is in compliance with applicable security policies and standards.
- Interim approval—a temporary written approval to process sensitive information under a set of extenuating circumstances where the risk is not yet acceptable, but there is an operational necessity for the system under development.
- Develop and deliver training material relevant to the resource category.
- The proposed resource may not be solely responsible for the completion of these deliverables. The consultant will be expected to work collaboratively with staff to ensure the work is completed in a way that ensures maximum knowledge transfer.

**Qualifications**
- A minimum of a three-year college diploma in computer science or other IT-related field, a university degree at the Bachelor level in Information Technology or other IT-related field; OR a minimum of 7 years within the last 15 years of work experience in the IT field.
- A minimum of 7 years experience performing tasks like those listed in the Job Description above.
- Must currently have or be eligible for a PWGSC Secret (LVL II) security clearance.
- A minimum of 7 years of experience, in the last 10 years, with IT security, including experience in security operations, architecture, incident response, and team leadership.
- A minimum of 7 years of experience, in the last 10 years identifying and mitigating risks, along with knowledge of legal and regulatory compliance requirements.
- A minimum of 7 years of experience, in the last 10 years developing and implementing comprehensive security policies and frameworks that align with business goals.
- Certifications such as CISSP, CISM, CRISC, SABSA Chartered Security Architect, CEH, CCSP, and various GIAC credentials.
- A minimum of 7 years of experience, in the last 10 years demonstrating leadership and proje