Job Description

HM Note: This hybrid contract role is two (2) days in office. Candidates' resumes must include first and last name.

Description

Background Information

This engagement involved leading the end-to-end execution of a Threat Risk Assessment (TRA) to evaluate the security posture of the information system, application, infrastructure, and business process. The objective is to identify potential threats, assess vulnerabilities, and determine the likelihood and impact of various risk scenarios affecting confidentiality, integrity, and availability.

Key activities included:

Scoping the assessment in collaboration with business and technical stakeholders. Conducting structured risk analysis using recognized frameworks such as ISO 31000, NIST RMF, or FAIR. Performing threat modeling (e.g., STRIDE, MITRE ATT&CK) to map potential attack vectors and security gaps. Reviewing system architecture, data flows, and existing controls. Assessing compliance with relevant regulatory and organizational security requirements. Documenting findings in a detailed TRA report, including risk ratings and actionable mitigation recommendations. Presenting results to executive leadership and supporting integration of risk treatments into the broader security strategy.

Must haves:

In-depth knowledge of risk management frameworks (e.g., ISO 31000, NIST RMF - Risk Management Framework) and threat modelling methodologies (e.g., STRIDE, DREAD). Expertise in identifying, evaluating, and prioritizing threats and vulnerabilities across physical, cyber, and operational domains. Strong analytical skills to assess potential impacts and likelihoods of various threat scenarios. Proficiency risk assessment matrices Excellent communication and reporting abilities to effectively present findings and risk mitigation strategies to both technical teams and executive stakeholders. Familiarity with legal, regulatory, and compliance requirements, ensuring assessments align with organizational and industry standards (e.g., PHIPAA - Personal Health Information Protection Act). Proactive mindset and situational awareness to anticipate and adapt to emerging threats in a dynamic risk environment.

Responsibilities:

Lead end-to-end Threat Risk Assessment (TRA) initiatives across systems, processes, and assets. Develop and apply threat models to assess organizational security posture. Collaborate with stakeholders to align assessments with business objectives and risk tolerance. Analyze vulnerabilities and assess threats to determine likelihood and potential impact. Produce detailed TRA reports, documenting findings, recommendations, and risk ratings. Maintain risk registers and track remediation efforts. Propose actionable mitigation strategies based on assessment outcomes. Ensure alignment with: Regulatory requirements Industry standards Organizational security policies Communicate findings effectively to both technical teams and executive leadership. Support audit and compliance activities as needed. Contribute to the continuous improvement of risk management frameworks and methodologies. Stay informed on emerging threats, vulnerabilities, and security best practices.

Desired Skills:

Demonstrated expertise in enterprise risk analysis, with a solid background in applying risk management frameworks such as ISO 31000, FAIR, and NIST RMF to identify, evaluate, and prioritize organizational security risks. Hands-on experience conducting structured threat analysis, utilizing methodologies like STRIDE, PASTA (Process for Attack Simulation and Threat Analysis), and MITRE ATT&CK. Familiarity with creating threat models, mapping attack surfaces, and visualizing system flows to uncover security weaknesses. Strong command of cybersecurity governance practices, including the development and enforcement of information security policies and standards. Practical understanding of how to align internal controls with recognized frameworks like ISO 27001, NIST CSF, and the CIS Critical Security Controls. Proven ability to translate technical risk findings into clear business language, producing high-quality documentation such as executive summaries, detailed risk reports, and stakeholder presentations. Skilled in managing communication between technical teams and leadership to drive informed decision-making.

Required Skills:

Risk Management & Assessment - 5-7 years

Proven experience in conducting threat risk assessments using frameworks like ISO 31000, NIST RMF, or Factor Analysis of Information Risk (FAIR).

Threat Modeling - 3-5 years

Practical knowledge of threat modeling techniques (e.g., STRIDE, PASTA, MITRE ATT&CK), including development of data flow diagrams and attack vectors.

Information Security Governance - 5+ years

Strong understanding of security policies, standards, and controls aligned with ISO 27001, NIST CSF, and CIS Controls.

Communication & Reporting - 5+ years

Skilled in writing technical and executive-level reports, risk registers, and presenting to stakeholders and leadership.

Required Experience / Evaluation Criteria:

5-7 years of hands-on experience with threat modeling techniques such as STRIDE, PASTA, and MITRE ATT&CK, including the development of data flow diagrams and identification of attack vectors to inform secure design decisions and guide risk mitigation strategies across systems and applications.: 20 points 5-7 years of experience conducting comprehensive threat and risk assessments using frameworks such as ISO 31000, NIST RMF, and FAIR, with a strong focus on identifying vulnerabilities, analyzing potential impacts, and delivering actionable risk mitigation strategies to stakeholders.: 20 points 5-7 years of extensive experience with security controls and architecture, with a strong ability to identify gaps between the current security posture and industry standards, best practices, and regulatory requirements.: 40 points Over 5 years of experience authoring technical and executive-level reports, developing risk registers, and delivering presentations to stakeholders and senior leadership.: 20 points

Total evaluation criteria:

100 points

Deliverables

Deliverables Include but not limited to:

TRA (Threat, Risk Assessment) Report:

A comprehensive document outlining identified threats, vulnerabilities, risks, and proposed mitigation strategies, tailored to the organization's context.

Risk Register:

A structured log of all identified risks, including severity, likelihood, risk rating, responsible owners, and mitigation actions.

Threat Modeling Diagrams:

Visual representations of systems, data flows, and potential threat vectors using models like STRIDE or attack trees.

Risk Assessment Matrix:

A visual tool mapping the likelihood and impact of risks to prioritize them effectively.

Asset Inventory & Classification:

A list of assets in scope (e.g., systems, applications, data) categorized by value and sensitivity.

Vulnerability Assessment Results:

A summary of technical vulnerabilities discovered during the assessment, often with outputs from tools like Nessus or OpenVAS.

Gap Analysis:

Identification of discrepancies between current security posture and industry standards, best practices, or regulatory requirements.

Mitigation & Remediation Plan:

Detailed action plans with timelines and responsibilities for reducing identified risks to acceptable levels.

Executive Summary:

A high-level summary tailored for senior leadership, focusing on key findings, business impact, and strategic recommendations.

Compliance Mapping:

Documentation showing how risks and controls align with regulatory or standards frameworks (e.g., NIST, ISO 27001, SOC 2).

Presentation Deck:

Slide-based briefing to communicate findings, risks, and recommendations to stakeholders in a clear and digestible format.

Knowledge Transfer Details:

The resource will ensure full knowledge transfer is provided to the Ontario Health team before end of engagement. Some of this might occur at the end of the engagement but will also be shared as information is obtained/consolidated. Key deliverables will be shared with team. The resource must provide all related documentation as part of Knowledge transfer protocol. Documents will be reviewed by the appropriate leads and signed off by manager/director. The resource will work collaboratively with the Ontario Health team throughout the assignment and ensure key deliverables, milestones, and documentation are shared. A walkthrough of any demos, development, etc. will be required before the end of the engagement.

Must Haves:

5-7 years' experience of risk management frameworks (e.g., ISO 31000, NIST RMF - Risk Management Framework) and threat modelling methodologies (e.g., STRIDE, DREAD). 5-7 years' experience identifying, evaluating, and prioritizing threats and vulnerabilities across physical, cyber, and operational domains. 5-7 years' experience assessing potential impacts and likelihoods of various threat scenarios.

Nice to have:

* Familiarity with legal, regulatory, and compliance requirements, ensuring assessments align with organizational and industry standards (e.g., PHIPAA - Personal Health Information Protection Act).