Security Governance Analyst Jobs

Metrolinx is connecting communities across the Greater Golden Horseshoe. Metrolinx operates GO Transit and UP Express, as well as the PRESTO fare payment system. We are also building new and improved rapid transit, including GO Expansion, Light Rail Transit routes, and major expansions to Toronto’s subway system, to get people where they need to go, better, faster and easier. Metrolinx is an agency of the Government of Ontario.
At Metrolinx, equity, diversity and inclusion are essential to living our values of serving with passion, thinking forward and playing as a team.
Our Payments Security Office is seeking a Security Governance Analyst to safeguard technology assets against internal and external security threats to the confidentiality, integrity, and availability of business information and systems by developing and implementing day-to-day system security controls, and identifying and remediating threats for identified vulnerabilities. Provides security governance of delivery projects and supports audits by analyzing and responding to results.
What will I be doing?

• Supports and acts on remediation plans and responses to internal and external audit findings. (PCI, OAG, General Controls Audit, Internal Audit, Critical Infrastructure Protection, etc.)
• Support Cybersecurity Awareness Training through training module uploads, training completion tracking
• Support risk identification & assessment, response & mitigation, control monitoring and reporting
• Supports the Metrolinx Payment Card Industry (PCI) program by completing tasks as required (i.e. data compilation and reporting)
• Liaising with Managed Security Service Providers (MSSPs) and participating in the design, developing, deployment, and support of information security systems and solutions (e.g. authentication, key management, Intrusion Prevention Systems (IPS), Security Information and Event Management (SIEM), antimalware, etc.)
• Interact with internal and external audit partners on a periodic basis to coordinate and monitor IT responsibilities for the completion of compliancy certifications
• Gathering and preparing data for reporting security service performance metrics that includes status of information systems, services obtained from external providers, and actions for improvement
• Participating and contributing to benchmarking exercises for comparison to industry standards (ISF, ISO, NIST) and industry peers in the government and transportation sectors.
• Reviewing and support information system change requests by assisting with risk assessment prior to implementation to identify new sources of risk or elevation in the severity of currently identified risks
• Reviewing and implementing data backup, restoration, and retention policies and procedures; monitoring performance of backup recovery systems through periodic testing
• Participates and provides input into the development and implementation of information security policies, standards, processes, and procedures

What Skills and Qualifications Do I Need?

• Experience in security architecture requirements analysis and impact assessment in the context of security architecture. Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and the NIST Cybersecurity Framework
• Minimum six (6) years’ experience developing and implementing system security controls, remediation of security issues and identifying and managing threats to the achievement of business objectives; project management experience; and broad-based experience in the CISSP security domains.
• Project management and interpersonal skills to coordinate complex projects to meet approved timelines
• Technical certifications such as CISSP, CCSP, CISA or CISM are an asset
• Completion of a degree in Computer Science, Information Technology (IT), or a related discipline – or a combination of education, training and experience deemed equivalent
• Experience with cloud services (Software-as-a-Service, Platform-as-a-Service)
• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate cybersecurity and risk-related concepts to technical and non-technical audiences at various hierarchical levels, ranging from board members to technical specialists
• Advanced knowledge and experience with agile methodology and principles in the IT environment

Don’t Meet Every Requirement?
If you’re excited about working with Metrolinx but your past experience doesn’t quite align with every qualification of this posting, we encourage you to apply. You just might be the right candidate for this or other roles. We are always looking for great talent to join our team.
We invite all interested individuals to apply and encourage applications from members of equity-deserving communities, including those who identify as Indigenous, Black, racialized, women, people with disabilities, and people with diverse gender identities, expressions and sexual orientations.
Accommodation
We value the unique skills and experiences each person brings to Metrolinx and are committed to creating and maintaining an inclusive and accessible environment. We are committed to the requirements of the Accessibility for Ontarians with Disabilities Act so if you require accommodation during the hiring process, please let our Recruitment team know by contacting us at: 416-202-5601 or email [email protected].
Application Process
All applicants must be legally entitled to work in Canada. Metrolinx will be using email to communicate with you for all job competitions. It is your responsibility to include an updated email address that is checked daily and accepts emails from unknown users. As we send time-sensitive correspondence, we recommend that you check your email regularly. If no response is received, we will assume you are no longer interested in pursuing the opportunity. Please be advised that a Criminal Record Check may be required of the successful candidate. Should it be determined that any background information provided is misleading, inaccurate or incorrect, Metrolinx reserves the right to discontinue with the consideration of your application.
We thank all applicants for their interest, however, only those selected for further consideration will be contacted.
WE ARE AN EQUITABLE AND INCLUSIVE EMPLOYER.