ADGA provides strategic vision, world-class technology and service excellence in the areas of defence, security and enterprise computing to clients in the federal government, other levels of government and the private sector. In a world dominated by convergence, ADGA provides the expertise and innovation that organizations need to stay safe, efficient and productive. This is based on an exceptional balance sheet built since 1967, protecting some of Canada's most critical assets. Headquartered in Ottawa, with offices across Canada, ADGA is a privately owned Canadian company employing more than 800 employees, technical consultants and subject matter experts.

This resource category will be responsible for, but not limited to, doing the following:

a.    Review, analyze, and/or apply Federal IT Security policies, System IT Security Certification & Accreditation processes, IT Security products, safeguards and best practices, and the IT Security risk mitigation strategies

b.    Identify threats to, and vulnerabilities of operating systems and wireless architectures

c.     Identify personnel, technical, physical, and procedural threats to and vulnerabilities of Federal IT systems

d.    Develop reports such as: Data security analysis, Concepts of operation, Statements of Sensitivity (SoSs), Threat assessments, Privacy Impact Assessments (PIAs), Non-technical Vulnerability Assessments, Risk assessments, IT Security threat, vulnerability and/or risk briefings

e.    Conduct Certification activities such as: Develop Security Certification Plans, Verify that security safeguards meet the applicable policies and standards, Validate the security requirements by mapping the system-specific security policy to the functional security requirements, and mapping the security requirements through the various stages of design documents, Verify that security safeguards have been implemented correctly and that assurance requirement have been met. This includes confirming that the system has been properly configured, and establishing that the safeguards meet applicable standards, Conduct security testing and evaluation (ST&E) to determine if the technical safeguards are functioning correctly, Assess the residual risk provided by the risk assessment to determine if it meets an acceptable level of risk

f.      Conduct Accreditation activities such as: Review of the certification results in the design review documentation by the Accreditation Authority to ensure that the system will operate with an acceptable level of risk and that it will comply with the departmental and system security policies and standards and identify the conditions under which a system is to operate (for approval purposes). This may include the following types of approvals: 

o   Developmental approval by both the Operational and the Accreditation Authorities to proceed to the next stage in an IT system's life cycle development if sensitive information is to be handled by the system during development

o   Operational written approval for the implemented IT system to operate and process sensitive information if the risk of operating the system is deemed acceptable, and if the system is in compliance with applicable security policies and standards

o   Interim approval—a temporary written approval to process sensitive information under a set of extenuating circumstances where the risk is not yet acceptable, but there is an operational necessity for the system under development

• Must hold a valid Secret clearance
• A minimum of seven (7) years’ experience in the last fifteen (15) years, performing IT Risk Management (*) activities involving the following areas:
  • Software Development & Application Security
  • Cloud security
  • Endpoint Security
  • Identity & Access Management
  • Communications and Network
• A minimum of three (3) years’ experience in completing IT Security Threat and Risk Assessments (TRA) for secure IT systems using CSEC’s Harmonized Threat and Risk Assessment (TRA) Methodology (TRA-1) and ITSG-33.

• A university degree or post-secondary diploma in Information Technology, Computer Science or Electrical Engineering fields, obtained through a recognized Canadian university or college; OR  

  An equivalent Canadian academic credential assessment, if obtained outside Canada.
• Hands-on experience within the last five (5) years completing two or more of each of the following deliverables:
  • (SoS) Statements of Sensitivity for IT systems processing Protected or Classified information using the CSEC Harmonized Threat and Risk Assessment (TRA) Methodology (TRA-1)
  • (TRA) IT Security Threat and Risk Assessments supporting IT systems processing Protected or Classified information using CSEC Harmonized Threat and Risk Assessment (TRA) Methodology (TRA-1).
  • (SA&A/C&A) Security Assessment and Authorization / Security and Accreditation packages for IT systems processing Protected or Classified information using IT SA&A methodology and terminology as defined in ITSG-33.

  • (TSR-P) A Technical Security Reviews of Commercial-Off-the-Shelf (COTS) hardware or software product(s).

  • (IT-SIA) *IT Security Impact Analysis reports for IT solutions.

• Must hold one or more of the following valid certifications:
  • Certified Cloud Security Professional (CCSP)
  • Certified Information System Security
  • Professional (CISSP) Certification 
  • Certified Information Security Manager (CISM)
  • Certified Information Systems Auditor (CISA)
  • Certified in Risk and Information Systems Control (CRISC)
  • Certified Cyber Forensics Professional (CCFP)
  • Systems Security Certified Professional (SSCP)
  • Information Systems Security Architecture Professional (ISSAP)
  • CompTIA Security+ 
  • CompTIA Network+ 
  • CompTIA Cloud+ 
  • CompTIA CySA+CompTIA Mobile App Security+
  • Certified Wireless Security Professional (CWSP)
  • GIAC (Global Information Assurance Certification)
  • SABSA Chartered Security Architect Foundation (SCF) or higher
• Experience in risk management activities for Cloudbased applications for government projects/initiatives involving any of the following:
  • Biometric identification 
  • Multi-factor authentication, secure enclave processing 
  • Public Cloud Infrastructure-as-a-Service
  • Cloud-based Identity Access Management
  • Mobile or Multi-experience
  • Artificial Intelligence or Machine Learning
  • Robotic Process Automation