IT Security Risk Management Specialist

Important messages

We are committed to providing an inclusive and barrier-free work environment, starting with the hiring process. If you need to be accommodated during any phase of the evaluation process, please use the Contact information below to request specialized accommodation. All information received in relation to accommodation will be kept confidential.

Assessment accommodation

CIHR’s office is located in Ottawa, Ontario; however, employees are currently working within a flexible work arrangement pending the move to a newly updated, centrally located office in September 2025. At the new workplace, CIHR has adopted a hybrid work model and will follow the Direction on Prescribed Presence in the Workplace. Hiring managers will provide further details to candidates as applicable.

You must provide a curriculum vitae outlining previous professional experiences. Additionally, when you apply, you will be asked a series of screening questions based on the education and experience criteria below. You must provide CONCRETE EXAMPLES that demonstrate how you meet the education requirement, and the experience factors listed in the essential qualifications.

Please note that it is not sufficient to only state that the requirement is met or to provide a listing of current responsibilities.

The position is classified at the GR-10 level which is equivalent to an IT-03. We may consider substantive IT-03 applicants ahead of all others.

Duties

The IT Security Risk Management Specialist role involves conducting risk assessments, developing mitigation strategies, and ensuring compliance with TBS standards and policies. The role also involves safeguarding CIHR’s IT assets by utilizing CIHR’s suite of security solutions. The incumbent is responsible for ensuring that security systems and solutions are properly configured to meet CIHR’s security needs.

The incumbent is responsible for:
• Evaluating risks related to systems, network, and data assets.
• Monitoring and reviewing overall risk exposure.
• Conducting risk assessments and security assessments and authorizations (SA&A).
• Ensuring mitigation actions are taken to reduce the residual risk to an acceptable level.
• Configuring, optimizing, and utilizing security technologies (SIEM, XDR, IDS/IPS, VA scanner) to manage and mitigate risk exposure.

Work environment

WHO ARE WE?

The Canadian Institutes of Health Research is a federal government agency that provides funding to support the work of thousands of health researchers. CIHR's mission is to support a healthier Canada by leading investment in innovative and collaborative research and helping to solve our health care challenges today and in the future. Composed of 13 Institutes, CIHR provides leadership and support to more than 13,000 health researchers and trainees across Canada. Are you looking for new challenges in a dynamic team? Are you looking for an environment where your expertise is recognized and heard?

If you answered yes to the above, then come join our team!

WHY WORK AT CIHR?

CIHR is dedicated to creating a healthy and stimulating work environment. People are the foundation of our organization. As a member of a CIHR team, you will become part of a diverse community where teamwork and the sharing of ideas amplifies our effectiveness. In addition to a dynamic environment where your work is valued by senior management, CIHR offers excellent conditions that set the agency apart from other employers. For instance, employees enjoy:

• Competitive salary scale: bilingual bonuses and performance pay
• Progressive work environment
• Hybrid Work Model
• Seamless transition for public servants
• A great work-life balance

As a Government of Canada Agency, CIHR employees are considered public servants and receive the same pension and benefits as the core public administration.

The CIHR is a separate agency of the Government of Canada, which allows us to establish human resources policies and programs that meet our specific needs. We encourage existing public servants to contact the email address below for questions related to transferring to a separate agency.

Intent of the process

The intent of this process is to staff one (1) indeterminate position. A pool of pre-qualified candidates may be established to staff future identical or similar positions within CIHR with various tenures (assignment, specified period or indeterminate), various security clearance levels and/or various bilingual linguistic profiles.

Positions to be filled: 1

Information you must provide

Your résumé.

In order to be considered, your application must clearly explain how you meet the following (essential qualifications)

EDUCATION

Graduation from a post-secondary institution with a specialization in Information Technology, Security, or any other field relevant to the work to be performed, or an acceptable combination of education, training, and/or experience.

Degree equivalency

EXPERIENCE

• Experience in performing risk management activities related to Security Assessment and Authorization (SA&A) process, in accordance with the ITSG-33 risk management framework;*
• Experience providing risk-based recommendations and addressing risk-related inquiries as part of day-to-day operations;*
• Experience monitoring, reviewing, and assessing overall risk exposure.*

* To ensure your application is considered, please clearly demonstrate direct, hands-on experience for each qualification:
• Focus on experience where you had direct responsibility and performed tasks yourself, rather than instances where you only participated peripherally.
• Only experience gained from real-world, professional work setting will be considered. While academic or personal projects are valuable, they won’t be considered for qualification purposes in this context.
• Ensure you describe your specific contributions and outcomes clearly. Applications that lack this level of detail may not be assessed further.

If you possess any of the following, your application must also clearly explain how you meet it (other qualifications)

EDUCATION

• Professional certifications in cyber security and IT risk management, including but not limited to:
- Certified Information System Security Professional Associate certification (CISSP-A);
- Certified Information System Security Professional certification (CISSP);
- Security+ certification.

Degree equivalency

EXPERIENCE

• Experience acquired in the context of the Government of Canada (GC). This includes:
- Direct employment within a GC department, agency, or Crown corporation;
- Private sector or consulting roles where services were provided directly to a GC organization;
• Experience providing input and reviewing IT security policies, directives, guidelines, and standards;
• Experience in configuring, optimizing, and utilizing security technologies (SIEM, XDR, IDS/IPS, VA scanner) to manage and mitigate risk exposure. Include specific technologies in the response (e.g. Microsoft Sentinel, Microsoft Defender, Tenable Security Center);
• Experience relevant to each of the essential and asset qualifications, acquired within the last 2 years.

KNOWLEDGE

• Knowledge of cloud security, particularly Azure environments;
• Knowledge of network security best practices (i.e. CSE Top 10, SANS etc.).

The following will be applied / assessed at a later date (essential for the job)

English essential

Information on language requirements

KNOWLEDGE

• Knowledge of risk management and vulnerability management;
• Knowledge of the following CSE publications: ITSG-33;
• Knowledge of TBS and CCCS standards, policies, and guidelines.

COMPETENCIES

• Critical Thinking
• Judgement
• Working with others (Collaborating and Relationship Management)
• Initiative
• Communication (Oral and Written)

Conditions of employment

Secret security clearance

Other information

The Public Service of Canada is committed to building a skilled and diverse workforce that reflects the Canadians we serve. We promote employment equity and encourage you to indicate if you belong to one of the designated groups when you apply.

Information on employment equity

1) The CIHR is committed to having a skilled and diversified workforce representative of the population it serves. In an effort to improve representation in the executive ranks to reflect Canada’s diversity, preference may be given to candidates who, at the time of application, indicate that they are belonging to one of the following Employment Equity groups (self-declaration): Indigenous peoples, Women, Visible Minorities and Persons with Disabilities.

2) We would like to thank all candidates who apply. Only those selected for assessment will be contacted. We will communicate with you regarding this process by email. Applicants should use an email address that accepts messages from unknown senders (some email systems block such messages). If you do not respond to our communications, we will interpret this as your withdrawal from the process.

3) The application method selected for this hiring process will be through online-applications submitted via the GC Jobs site. To submit an application on-line, please select the button "Apply Online" below.

4) A variety of assessment tools may be used in the assessment of candidates, such as: written test, oral interview, performance appraisals and/or reference check. Please note that exams and interviews may be conducted in person. Confirmation regarding the format will be provided at a later time.

5) For questions, please contact hrstaffing-rhdotation@cihr-irsc.gc.ca.

We thank all those who apply. Only those selected for further consideration will be contacted.

Contact information

Apply online