Specialist, IT Security Risk Management

**Job Requisition ID**: 8934

**Language Designation**: English Essential

**Language Skill Levels (Read/Write/Speak)**: ZZZ

**Position Status**: Permanent Full Time

**Travel Requirement**: Occasional

**Office Location**:Ottawa (ON); Montreal (QC); Toronto (ON)

**Salary**: Our salaries generally range from $ 78657.14 to $ 98321.43 and are based on qualifications and experience.

At CMHC, we trust you to get the job done. We empower our employees to be fully autonomous and accountable in achieving their results. Employees focus on how they achieve results rather than when and where they choose to work.

Here are some of the reasons why we were chosen as one of Canada's top employers:

- Enjoy 5 weeks of vacation;
- An annual individual performance bonus;
- Defined benefit pension plan;
- Comprehensive group insurance to support your well-being from day one;
- Access to a catalogue of courses for individual learning;
- An inclusive workplace culture and environment with multiple Employee Resource Groups and much more

**Help make a difference for Canadians.** CMHC’s aspiration is that by 2030, everyone in Canada has a home that they can afford and that meets their needs. All of our programs and activities support this singular goal.

**Be part of an inclusive workplace.** Diversity and Inclusion guides everything we do at CMHC. We’re taking concrete actions to eradicate racism and advance equity within CMHC and the housing system.

Bring your risk management skills as well as your IT security expertise to this IT Security Risk Management Specialist position.

Join the Security Team as a Specialist where you will be responsible for supporting CMHC’s information technology risk, privacy, compliance and security programs. While working in conjunction with other professional colleagues and specialists, you will be acting as an expert advisor to management concerning IT security risks that involves and/or affects security, such as conducting security threats and risk assessments related to existing and new technologies. You will also be developing and implementing CMHC's security awareness program as well as its technology risk management policies, directives, procedures and guidelines.

**Responsibilities**:

- Developing and maintaining an IT security risk management framework to quickly identify and flag current and evolving threats to CMHC.
- Identifying and assessing the severity and potential impact of risks to IT Security and recommending a risk management strategy that optimizes the trade-offs between risk mitigation and business performance.
- Conducting security threat and risk analysis including information from any technical vulnerability assessment and penetration testing.
- Elaborating, characterizing, assessing and evaluating risks and making decisions dispassionately.
- Investigating, assessing, tracking, resolving and reporting on mitigated actions and/or on suspected violations of policies and procedures in coordination with appropriate entities (e.g., Internal Audit team, Chief Risk Officer's delegates).
- Communicating IT security risk models and risk assessment findings to various risk management teams within CMHC.
- Developing new or identifying existing information security training, education and awareness activities appropriate for various audiences.
- Facilitating, guiding and overseeing audits and oversight activities concerning, physical security and the security of information systems.
- Ensuring decisions are aligned to the enterprise security architecture plans and guidelines.
- Conducting research to stay abreast of security strategies, technologies and techniques that may have an impact on IT security at CMHC.
- Reviewing contracts with third-party vendors for adequacy of coverage of security and compliance requirements.

**Minimum Qualifications**:

- A commitment to demonstrating CMHC’s values.
- Bachelor’s degree, preferably in Cyber Security, Computer Security, Information Systems Security, Computer Science or in a related field. An equivalent combination of related education and work experience may be considered.
- Minimum of five (5) years of increasing responsibilities and relevant work, experience/expertise in IT Security and/or in information security.
- Demonstrated experience in overseeing the IT/network operations of a corporation.
- Demonstrated experience in writing complex risk analysis/risk assessment reports for a variety of audiences (technical and non-technical).
- Experience and/or knowledge of recognized standards. E.g. NIST CSF, ISO 27001/27002, ITSG-33, etc.
- Knowledge of Canadian laws and Government of Canada regulatory requirements and standards. E.g. Treasury Board, Office of the Superintendent of Financial Institutes, etc.
- Strong organizational skills, including an ability to manage several ongoing and competing tasks and/or projects.
- Ability to build and manage effective working relationships with peers, and internal and external stak