Director, Information Security Office

Corporate Toronto, Ontario Ottawa, Ontario Orangeville, Ontario Sudbury, Ontario Bridgewater, Nova Scotia Yarmouth, Nova Scotia Edmundston, New Brunswick Halifax, Canada Montreal, Canada


Description

Position Overview:

The purpose of this role is to enhance and validate the compliance, confidentiality, integrity and security of all M1S systems and services, while maintaining operational effectiveness. The Director, Information

Security is responsible for the development, delivery, and ongoing management of a comprehensive information security program for M1S. He / she will lead the information security and cyber risk management function and information security team from design to implementation and ongoing compliance in alignment with a multi-channel strategy and multi-security audits and programs.

The focus of this position is to drive all aspects of the PCI DSS and SOC2 programs ensuring complete and consistent compliance across the organization. Heading a cross-functional team, the leader will develop and refine compliance assessment and management processes and work streams for annual assessment, gap analysis, training, remediation, and reporting. Additionally, the leader will provide implementation guidance and support, including conducting PCI DSS, SOC2, ISO27000 etc compliance assessments working closely with the selected audit vendor, reporting and recommending controls.

Responsibilities:

  • Oversee, enhance and maintain a robust corporate information security program including policies and procedures, relevant compliance, standards and guidelines.
  • Own and develop the firm’s Information security governance model, with more regular reporting on security posture, threats, and compliance.
  • Develop, document, and implement information security procedures to enforce compliance with information security standards and policies.
  • Audit, validate and facilitate adherence to policies, standards and procedures along ISO 27001 mandates.
  • Lead compliance and IT regulation audits including but not limited to PCI-DSS, ISO27000, SOC2, internal/client audits.
  • Make improvement recommendations to managers at all levels to ensure compliance with laws, standards and policies while managing cyber security risks.
  • Manage relationships with third-party providers of services to the firm. Responsibilities include negotiation of contract language and evaluation of third-party risk related to privacy and security practices.
  • Oversee the development and implementation of hardening procedures for the firm’s servers, desktops, laptops and mobile devices.
  • Maintain significant knowledge of cyber threat actors, attack methodologies and mitigation/ remediation methods.
  • Own and investigate IT security incidents and drive forensics analysis with internal and external parties.
  • Responsibilities for monitoring, containment, investigation, reporting and continuous improvement of enterprise wide systems for changes and standards that affect information security.
  • Educate business users on best practices, risks, potential threats and propagate a general security awareness program throughout the firm.
  • Work collaboratively with internal and external stakeholders on projects requiring information security design guidance.
  • Hire, train, coach, mentor, and develop staff, including conducting performance reviews and providing constructive feedback through employee recognition, rewards, and disciplinary actions as needed.
  • Serve as prime contact with NTT, managing all security matters and ensuring compliance with NTT security

Education Requirements:

Certification/Degree or equivalent experience in Computer Information Systems

Certification required:

CISSP

Other Education/Certification/Training preferred:

Relevant Industry Certifications such as GIAC, PCIP, CISA, CISM, PCI ISA

Work Experience Requirements:

  • A minimum of 10 years progressive experience in information security
  • 5+ years of experience in assessments of controls required for PCI-DSS compliance
  • 4+ years of experience is SSAE16 (SOC) audits
  • 4+ years of experience in Network Security administration
  • 4+ years of experience with security/hardening controls
  • 4+ years evaluating security risks & adopting appropriate risk treatment strategies
  • 4+ years of experience in managing cloud security
  • 4+ years of experience in managing security incidents, system vulnerabilities and threat management programs
  • In-depth knowledge of access control systems and methodology

Other Requirements:

  • Successful candidates to  undergo a Credit and Criminal Background Check
  • Successful candidates are required to sign a non-disclosure agreement (NDA) specific to the sensitive information accessed by this team

Millennium1 Solutions is an equal opportunity employer and welcomes and encourages applications from people with disabilities.  Accommodations are available on request for candidates taking part in all aspects of the selection process.