Job ID 16721
The Ontario Securities Commission (OSC) is the statutory body responsible for regulating Ontario’s capital markets in accordance with the mandate established in the provincial Securities Act and the Commodity Futures Act. The mandate of the OSC is to provide protection to investors from unfair, improper or fraudulent practices, to foster fair, efficient and competitive capital markets and confidence in the capital markets, to foster capital formation, and to contribute to the stability of the financial system and the reduction of systemic risk. This mandate is performed through policy, operational, adjudication and enforcement work. The OSC also contributes to national and global securities regulation development.
The Information Security Branch is responsible for the design, implementation and ongoing maintenance of the OSC’s information security program to achieve and sustain the organization’s security posture.
The OSC is recruiting for a Governance, Risk and Compliance Lead who will be responsible for supporting information security programs, services and initiatives in alignment with the OSC business objectives. This position will:
- Establish policies and ensure key information security protocols are adhered to across the OSC to avoid data compromises and security breaches.
- Implement, and ensure the achievement of, OSC’s strategy by remaining abreast of leading practices and new trends in order to identify recommendations for corrective measures, updates and improvements when required.
- Provide technical leadership and advice to the security operations team and other members of the OSC’s cross-functional project team to reduce information security threats and mitigate risk across the OSC.
Key Duties and Responsibilities
As a subject matter expert in information security frameworks and regulations, the successful incumbent will be responsible for the following key areas:
- Draft policies and standards guided by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), ISO/IEC 27001 and ISO 27002, ensuring alignment across the different functions and branches while understanding various legal implications of data confidentiality and data protection.
- Develop, assess and implement information security controls, and procedures required to protect the confidentiality, integrity and availability of OSC information.
- Leverage communication channels within the OSC to increase awareness in potential changes to security processes and understanding of privacy protection requirement across the organization.
- Provide guidance to the IS operation team and ensure they’re implementing the set security framework.
- Conduct security & threat risk assessments for new and existing solutions to understand the overall risk management framework at OSC and how data security risks are mitigated.
- Support the Chief Information Security Officer with enterprise risk management requests, ensuring compliance with regulatory requirements.
- Monitor the constantly changing cybersecurity threat environment and asses the risk that poses to the organization.
- Assist with the design and implementation of disaster recovery and business continuity plans, procedures, audits and enhancements.
- Ensure the established information security controls, standards, policies and procedures are adhered to and kept up to date.
- Lead and define information security compliance framework and align with the IS operations team to ensure its implementation.
- Review information security KPI metrics and provide recommendations on the type of actions to be taken to enhance security measures and to ensure continuous improvement of the information security frameworks across the OSC.
- Provide operational direction on compliance standards, including maintenance and administration of security systems and devices.
- Develop schedules and project plans to secure timely completion of project deadline, including identification of project milestones and critical path items.
- Collaborate with the Information Services and Digital Solutions Branches on development of new solutions, ensuring that all security measures and controls are applied throughout the development lifecycle.
- Lead cross-functional teams to develop and improve policies and procedures, and design of information security frameworks.
- Remain informed on trends and issues in the security industry to serve as a trusted advisor for projects, providing technical guidance and support on matters related to information security frameworks and programs.
- Proactively manage and track information security-related risks and corresponding action plans with due dates to ensure that issues are resolved in an efficient and timely manner.
- Act as the key liaison and contact between OSC stakeholders and external IT auditors, and respond to audit queries, as required.
- Support the Chief Information Security Officer in the preparation for information security committee meetings, and represent the OSC in discussions, as required.
- Align with Legal and ensure that all information security framework are compliant with regulatory and data confidentiality requirements.
- Manage ongoing relationships with information security vendors and ensure that set SLAs are met.
- Collaborate with regulators and information security committees to assess and discuss possible security risks, understanding of potential impacts and consequences, and leverage lessons learned and potential solutions on information security practices.
- University degree in Information Technology, Computer Science, Engineering or equivalent.
- A minimum of 10 years’ experience in an Information Security or Risk Management role.
- CRISC, CISM, CISA or equivalent certification is considered an asset.
- ITIL and PMP certification is considered an asset.
- Hands-on experience with IT governance, and in-depth knowledge of information security & privacy standards (ISO 27001, COBIT, NIST, ITIL) & legislative/regulatory instruments (SOC 2, SOX, FIPPA, PCI, MITS, etc.).
- Project and program management skills are considered an asset.
- Demonstrable experience with conducting security reviews, implementing information security recommendations, analyzing technical controls and applying security control standards.
- Strong understanding of various information security controls, their strengths and weaknesses, and how best to apply them successfully to mitigate threats.
- Experience collaborating with, or managing, vendors and auditors.
- Ability to effectively manage positive relationships with internal and external stakeholders.
- Knowledge of secure application development practices and how they can be used effectively.
- Exceptional knowledge of application, network, and operating system security, security architectures and the application of privacy and security controls.
Grow your career and make a difference working at the OSC!
Apply online at https://www.osc.ca/en/about-us/careers-osc by Monday, September 19, 2022.
We thank all applicants for their interest in the Ontario Securities Commission. We will contact those selected for an interview.
Inclusion and Diversity at the OSC
The OSC is committed to diversity and providing an inclusive workplace. It is our priority to ensure employment opportunities are visible and barrier-free to all under-represented groups, including, but not limited to, Indigenous, Black and racialized groups, people with disabilities, women and people from the LGBTQ2S community, to achieve an employee demographic profile reflective of the demographic profile of Ontarians.
The OSC is a proud partner with the following organizations: BlackNorth Initiative < https://blacknorth.ca/ >, Canadian Centre for Diversity and Inclusion < https://ccdi.ca/ >, and Pride at Work Canada < https://prideatwork.ca/ >.
If you require an accommodation during the recruitment process, please let us know by contacting our confidential inbox HRRecruitment@osc.gov.on.ca.