Information Risk & Compliance Specialist

SecureKey is a leading identity and authentication provider that simplifies consumer access to online services and applications. SecureKey enables next generation privacy-enhancing identity and authentication networks for conveniently connecting people to critical online services using a digital credential they already have and trust. SecureKey is headquartered in Toronto. For more information, please visit

The Information Risk & Compliance Specialist is a key role in the development, continual improvement and oversight of SecureKey’s information Risk assessment and security governance program.

Key focus will include security assessment and reporting of risk in all aspects of SecureKey application lifecycle in order to maintain the confidentiality, integrity, and availability of all organizational information systems of SecureKey.

Responsibilities include:

  • Ensure that significant technology and information risks are effectively identified, evaluated, reported, controlled and remediation performed.
  • Managing the POAM for our Government Services, reporting to the Authorizing Authority and ensuring that we maintain Protected B compliance.
  • Creating and managing the System Security Plan.
  • Must meet timely deadlines and manage reporting cycles with clients.
  • Provide information assurance and security analysis services involving vulnerability and risk assessment support utilizing established security and risk management frameworks.
  • Performing Threat and Vulnerability Identification, Control Analysis, Probability & Impact Analysis, and Risk Determination.
  • Recommend countermeasures and safeguards that would mitigate risk.
  • Manage the Control Self-Assessment process for the technology controls, ensuring that control issues/gaps are clearly documented, that detailed remediation plans are developed to address the issues and within required time frames
  • Ensure the business compliance with SecureKey’s Risk Management Policies and Standards, information security requirements within our customer contract and industry/regulatory requirements.
  • Provide audit support to major business Technology projects.
  • Provide subject matter expertise in information risk, controls, compliance and security best practices.
  • Manage Risk Dashboards using SecureKey’s GRC Tools.
  • Monitor technological trends in compliance with the various security standards and policies for the protection of information.

Desired Skills & Experience

Ideal qualifications:

  • CISSP, CISA, CISM or equivalent certification.
  • Five plus years’ experience in information technologies, including at least two years performing security threat risk assessments and two years performing a security audit function;
  • Knowledge of various compliance standards (HIPAA, PCI, SOC 2 Type I/II, NIST SP800-53, ISO27001/2) and government technology standards, namely:
    • ITSG-33 – IT Security Risk Management: A Lifecycle Approach
    • ITSG-22 – Baseline Security Requirements for Network Security Zones in the Government of Canada
    • ITSG-38 – Network Security Zoning – Design Considerations for Placement of Services within Zones
    • ITSG-41 Security Requirements for Wireless Local Area Networks
    • 40.062 – Guidance on Securely Configuring Network Protocols
    • User Authentication Guidance for Information Technology Systems (ITSP.30.031 v3) (replaces ITSG-31)
    • 40.111 – Cryptographic Algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information
  • Knowledge of CATS V2
  • Proficiency in a variety of technological security solutions;
  • Ability to analyze security threats;
  • Capacity for analysis, insight and rendering concepts in layman’s terms;
  • Outstanding interpersonal and communication skills;
  • Must possess a high degree of integrity and trust along with the ability to work independently
  • Proficient in the MS Office Suite

Security Mandates include:

  • Must ensure SecureKey’s information security requirements, including immediate reporting of all breaches of information security to their immediate manager or the CSO (Chief Security Officer), as well as taking whatever other actions required of them under the terms of the SecureKey security program and other company security policies and procedures.

Be part of a high-performance team – submit your resume to