IBM

IT Security- SA&A Consultant- Contract Role

IBM

September 14, 2021

Introduction
At IBM, work is more than a job - it's a calling: To build. To design. To code. To consult. To think along with clients and sell. To make markets. To invent. To collaborate. Not just to do something better, but to attempt things you've never thought possible. Are you ready to lead in this new era of technology and solve some of the world's most challenging problems? If so, lets talk.
Your Role and Responsibilities
Security Assessment & Authorization Consultants
  • Review, analyze, and/or apply Federal, Provincial or Territorial IT Security policies, System IT Security Assessment & Accreditation processes, IT Security products, safeguards and best practices, and IT Security risk mitigation strategies;
  • Identify threats to, and vulnerabilities of operating systems (such as MS, Unix, Linux, and Novell), and wireless architectures;
  • Identify personnel, technical, physical, and procedural threats to and vulnerabilities of Federal, Provincial or Territorial IT systems;
  • Develop reports such as: Data security analysis, Concepts of operation, Statements of Sensitivity (SoSs), Threat assessments, Privacy Impact Assessments (PIAs), Non-technical Vulnerability Assessments, Risk assessments, IT Security threat, vulnerability and/or risk briefings;
  • Conduct Assessment activities such as: Develop Security Assessment Plans; verify that security safeguards meet the applicable policies and standards; validate the security requirements by mapping the system-specific security policy to the functional security requirements, and mapping the security requirements through the various stages of design documents; verify that security safeguards have been implemented correctly and that assurance requirements have been met (this includes confirming that the system has been properly configured, and establishing that safeguards meet applicable standards); conduct Security Testing and Evaluation (ST&E) to determine if the technical safeguards are functioning correctly; and assess the residual risk provided by the risk assessment to determine if it meets an acceptable level of risk;
  • Conduct Assessment activities such as: review of certification results in the design review documentation by the Accreditation Authority to ensure that the system will operate with an acceptable level of risk and that it will comply with departmental and system security policies and standards and identify conditions under which a system is to operate (for approval purposes). This may include the following types of approvals:
  • Developmental approval by both the Operational and the Accreditation Authorities to proceed to the next stage in an IT system's life cycle development if sensitive information is to be handled by the system during development;
  • Operational written approval for the implemented IT system to operate and process sensitive information if the risk of operating the system is deemed acceptable, and if the system is in compliance with applicable security policies and standards; or
  • Interim approval - a temporary written approval to process sensitive information under a set of extenuating circumstances where the risk is not yet acceptable, but there is an operational necessity for the system under development; and
  • Develop and deliver training material relevant to IT Security TRA and SA&A;
  • Brief senior management; d. Review and provide comments related to IT Security TRA and SA&A;

Required Technical and Professional Expertise
  • A degree from a recognized university in the sciences, engineering, or IM/IT related studies, or a diploma (minimum 2 years) from a recognized college in the sciences, engineering, or IM/IT related studies.
  • Minimum of 5 years of recent demonstrated experience in the assessment of applied IT security controls, or the evaluation of threats and risks, or the interpretation and application of ITSG-33 IT Security Risk Management Framework, for complex, enterprise-wide applications, or information systems.
  • Direct experience, within the last 10 years in the assessment or writing of formal Security Assessment (ITSG-33 based) and Authorization reports that includes the following activities:
    • Identifying personnel, technical, physical, and procedural threats to and vulnerabilities of Federal, Provincial or Territorial IT systems
    • Verifying that security safeguards meet the applicable policies and standards,
    • Validating the security requirements by mapping the system-specific security policy to the functional security requirements, and mapping the security requirements through the various stages of design documents,
    • Verifying that security safeguards have been implemented correctly and that assurance requirement have been met. This includes confirming that the system has been properly configured, and establishing that the safeguards meet applicable standards,
    • Assessing the residual risk provided by the risk assessment to determine if it meets an acceptable level of risk
  • Minimum of 5 years’ recent experience developing and delivering at least 2 of the following reports:
    • Data security analysis,
    • Concepts of operation
    • Statements of Sensitivity (SoS)
    • Threat assessments
    • Non-technical Vulnerability Assessments
    • Risk assessments
    • IT Security threat; and
    • Vulnerability and/or risk briefings.
  • Experience reviewing, analyzing, and/or applying Federal, Provincial or Territorial IT Security policies, System IT Security Assessment & Accreditation processes, IT Security products, safeguards and best practices, or IT Security risk mitigation strategies.
  • Experience reviewing certification results in design review documentation by the Accreditation Authority to ensure that a system will operate with an acceptable level of risk, complies with departmental and system security policies and standards and identifying conditions under which a system is to operate.
  • Experience identifying personnel, technical, physical, and procedural threats to and vulnerabilities of Federal, Provincial or Territorial IT systems.

Preferred Technical and Professional Expertise
  • One or more of the following certifications is must:
    • Certified Cloud Security Professional (CCSP)
    • Certified Information Security Manager (CISM)
    • Certified Information Systems Auditor (CISA)
    • Certified in Risk and Information Systems Control (CRISC)
    • Certified Cyber Forensics Professional (CCFP)
    • Systems Security Certified Professional (SSCP)
    • Information Technology Infrastructure Library (ITIL)
    • Information Systems Security Architecture Professional (ISSAP)
    • CompTIA Security+ SABSA Chartered Security Architect Foundation (SCF) or higher
    • Certified Information Systems Security Professional (CISSP)
    • PMP or Prince2
    • Certification and Accreditation Professional (CAP)
    • Global Information Assurance Certification (GIAC)
    • SABSA Chartered Security Architect Foundation (SCF) or higher
    • Microsoft Certified Architect (MCA)
    • Systems Security Certified Practitioner (SSCP)
    • Sherwood Applied Business Security Architecture (SABSA)
    • Certificate of Cloud Security Knowledge (CCSK)
  • Experience within the past five years, in the following areas is must:
    • Data Centre Infrastructure Security;
    • Wired Network Security;
    • Wide Area Network (WAN) Security
    • Application Security
    • Network Infrastructure Security
    • VoIP;
    • Call/Contact Centre Security;
    • Audio / Video Conferencing Security
    • Cloud Security
    • Wireless Security
    • X.500 Directory Standards
    • LDAP implementations
    • Database Hosting
    • Operating Systems (Microsoft, Unix or Linux, z/OS
    • Networking Protocols (i.e. Internet Protocol Suite, TLS, SSL, SIP, H323 etc.)

Must have the ability to work in Canada without sponsorship.
About Business UnitThe Global Technology Services division of IBM Canada holds several Security Assessment and Authorization (SA&A) contract vehicles with the federal government for independent consulting. In anticipation of upcoming Task Authorizations from our clients, GTS is developing a pool of pre-qualified consultant resources to meet these needs.
Your Life @ IBMWhat matters to you when you’re looking for your next career challenge?
Maybe you want to get involved in work that really changes the world? What about somewhere with incredible and diverse career and development opportunities – where you can truly discover your passion? Are you looking for a culture of openness, collaboration and trust – where everyone has a voice? What about all of these? If so, then IBM could be your next career challenge. Join us, not to do something better, but to attempt things you never thought possible.
Impact. Inclusion. Infinite Experiences. Do your best work ever.
About IBMIBM’s greatest invention is the IBMer. We believe that progress is made through progressive thinking, progressive leadership, progressive policy and progressive action. IBMers believe that the application of intelligence, reason and science can improve business, society and the human condition. Restlessly reinventing since 1911, we are the largest technology and consulting employer in the world, with more than 380,000 IBMers serving clients in 170 countries.
Location StatementFor additional information about location requirements, please discuss with the recruiter following submission of your application.
Being You @ IBMIBM is committed to creating a diverse environment and is proud to be an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, pregnancy, disability, age, veteran status, or other characteristics. IBM is also committed to compliance with all fair employment practices regarding citizenship and immigration status.