Reporting to the Manager of Information Security, the Information Security Analyst is primarily responsible for vulnerability management. Additionally, the role involves conducting IT risk assessments and supporting various activities related to the overall information security program, ensuring alignment with our Information Security Program responsibilities.
Summary of Duties:
• Coordinate and conduct network and web application vulnerability assessments.
• Collaborate with other departments to identify security risks within their operational areas, recommend appropriate security control remediation, and support the development of security process improvements to mitigate risks.
• Monitor, review, and respond to security events from the SOC, tracking them through to resolution. Escalate unresolved issues within the acceptable time frame.
• Monitor emerging threats, assess risks, and recommend relevant controls and mitigation strategies.
• Collaborate with teams to implement hardening of servers and network devices.
• Provide support for security-related projects.
• Review IT security controls and processes for new applications and services to ensure the implementation of proper technical security controls.
• Work with external consultants for independent security audits, incident response, and risk remediation when necessary.
• Review emerging security technologies and provide recommendations to enhance infrastructure security.
• Conduct security threat and risk assessments in line with industry standards, identifying necessary administrative, procedural, and technical control remediation items.
• Perform other related duties as assigned.
Qualifications/Skills:
• University degree in Business Administration, Science, Engineering, or a related field, or equivalent experience.
• Minimum of 5 years of experience in an Information Security role.
• At least 5 years of experience administering various security products such as Palo Alto and Cisco ASA firewalls, VPN, CrowdStrike endpoint protection, Tenable network and web application scanners, and CIS benchmarks.
• Strong understanding of risk management, vulnerability management, and incident management.
• In-depth knowledge of IT security concepts and best practices.
• Excellent written and verbal communication, interpersonal, and customer service skills.
• Demonstrated knowledge of and familiarity with standards and frameworks such as ITIL, COBIT, ISO/IEC 31000 series, ISO/IEC 27000 series, PCI, COSO, and SOC 2.
• Proven experience in conducting supervised security threat and risk assessments, ideally within a healthcare context, using an industry-recognized framework like the Harmonized Threat and Risk Assessment (HTRA) methodology.
• Preferred certifications in IT governance or control standards, such as ISC2 (e.g., CISSP), SANS, ISACA (e.g., CISM, CISA), or PMI (e.g., PMBOK).
• Strong analytical, problem-solving, and negotiation skills.
• Proficiency in office productivity tools including email, word processing, database management, and spreadsheet applications.
• Preferred knowledge of information technology project management, software or hardware development, and/or technology operations management.
• Familiarity with the healthcare sector and experience in hospital administration or clinical support is highly desirable.
To review Sunnybrook Health Sciences Centre's Privacy Statement, please click here.