Manager IT GRC

Reporting to the Senior Manager, IAM & GRC, the Manager - IT Governance, Risk and Compliance plays a key role in ensuring information security and compliance in the 407ETR by being responsible for elaborating and maintaining thorough internal and external audits, vendor due diligence program, and security risk management program. With the collaboration of relevant stakeholders, they develop, maintain and update all IT Security related policies, and control processes within the 407. The incumbent is an experienced professional with expertise and passion in leading, improving organizational processes to ensure Compliance and Risk Management. The Manager will need to balance information security risk and compliance requirements with business enablement.

Responsibilities

• Drive change and leadership best practices. Draws upon and supports corporate programs to bring consistency to our people strategy. Provides input and direction on future talent programs. Supports Diversity Equity and Inclusion while establishing trust and transparency in a safe and productive work environment.
• Monitor changes or advancements in emerging technologies to gain competitive advantage within information security and risk management.
• Work with IT and the business to assess, design and implement stainable security solutions, operating processes and people models to address key and evolving security risks.
• Work closely with business units to achieve compliance with requirements and to address related questions and issues.
• Ensure standards, processes, procedures, and associated metrics are documented and met.
• Consult with Application Security, Risk and Controls (Access, Process control).
• Facilitating and preparing and supporting internal and third-party audits.
• Conduct risks assessments.
• Conduct tabletop exercises and work with incident response plans and procedures.
• Assist with Disaster Recovery and Business Continuity planning initiatives.
• Perform assessments and associated remediation activities to ensure systems and controls are configured in accordance with established policy, best practice guidelines and designated compliance frameworks.

Risk Management:

• Develop and improve information risk management strategies and processes.
• Manage and perform risk assessment initiatives, risk registry, etc.
• Enact risk rationalization and implementation of mitigation strategies and monitoring across IT.
• Maintain information risk tolerance threshold metrics and provide guidelines on ensuring information risk exposure is within tolerance limits.
• Identify and communicate issues and risks and work with cross-functional teams to establish risk mitigation strategies where applicable.

Compliance:

• Ensure compliance adherence across programs and initiatives in respect to legislation and regulation, i.e. PCI DSS.
• Perform assessments of technology solutions, third parties, etc., ensuring compliance to the defined security policies, standards and procedures.

Governance:

• Assist the development and maintenance of 407 ETR security policies, procedures and related documents.
• Work on governance frameworks, work with IT Leadership in order to upscale/improve governance methodology and reporting.
• Oversee information security governance related initiatives.
• Assist in the development and maintenance of a Data Governance program including Integration, Classification, Storage and Quality management

Qualifications

• Minimum of 7 years of IT security, Information Risk Management or related work experience
• College Diploma or University Degree in Computer Engineering, Computer Science, or Audit preferred
• Intermediate to strong working knowledge of O365 and AWS
• Experience with GRC
• One or more of the following or related certifications preferred:
  • Certified Information Systems Auditor (CISA)
  • Certified Information Systems Manager (CISM)
  • Certified in Risk and Information Systems Control (CRISC)
  • Certified in the Governance of Enterprise IT (CGEIT)
  • Certified Information Systems Security Professional (CISSP)
• Experience with the following IT Security Frameworks required: Payment Card Industry Data Security Standards (PCI DSS), ISO 27001 / 27002, Control Objectives for Information and Related Technology (COBIT), NIST Cybersecurity Framework preferred
• Familiarity with Agile methodologies such as Lean, Scrum and Kanban preferred
• Demonstrated ability to work with internal stakeholders and external vendors

407 ETR's Information Technology division is responsible for the infrastructure and software to enable the efficient operation of the highway---including toll capture, account management, financials, and data storage/analytics---as well as customer services including call-center, web, IVR and supporting workflows.

Highway 407 ETR is an all-electronic open-access toll highway located in the Greater Toronto Area in Ontario, Canada. The highway spans 108 kilometres from Burlington in the west to Pickering in the east.

407 International Inc. is the sole shareholder of 407 ETR and is owned by:

• Canada Pension Plan Investment Board (CPP Investments) through indirectly-owned subsidiaries (50.01%);
• Cintra Global S.E. which is a wholly-owned subsidiary of Ferrovial S.A. (43.23%); and
• AtkinsRalis, formerly known as SNC-Lavalin (6.76%).

Note: At 407 ETR, we are committed to fostering a diverse, equitable, and inclusive work environment. We value the unique perspectives and backgrounds of all individuals, and we firmly believe that our individual differences make us stronger as a whole.

Our commitment to inclusion extends beyond recruitment and encompasses an inclusive workplace culture through raising awareness, ongoing training, and encouraging feedback. We aim to create a safe and supportive environment where all employees can thrive.

Accommodation for disabilities or other grounds protected by human rights legislation are available upon request for candidates taking part in all aspects of the employment selection process.