Manager Security Governance

Metrolinx is connecting communities across the Greater Golden Horseshoe. Metrolinx operates GO Transit and UP Express, as well as the PRESTO fare payment system. We are also building new and improved rapid transit, including GO Expansion, Light Rail Transit routes, and major expansions to Toronto’s subway system, to get people where they need to go, better, faster and easier. Metrolinx is an agency of the Government of Ontario.
  At Metrolinx, equity, diversity and inclusion are essential to living our values of serving with passion, thinking forward and playing as a team.
PRESTO is an electronic transit fare payment system in the Greater Toronto, Hamilton and Ottawa areas that eliminates the need for tickets, passes and cash. PRESTO serves more than 5 million customers across 11 transit agencies and processes over $2.5 billion in fares through 67 million boardings per month (pre-pandemic). Today, PRESTO offers one of the most globally advanced fare payment systems in the world having delivered new ways to pay for customers, including real time PRESTO Contactless with credit and Interac debit and PRESTO in Mobile Wallet across its transit agency clients, including the Toronto Transit Commission (TTC). Enhancing the customer experience through continuous improvement while working with our transit agency clients to support their needs, and maintaining a system that performs exceptionally, continue to drive PRESTO toward making transit better for all.

 

We are looking for a Manager, Security Governance who will be responsible for the development and management of Information Security governance, risk, compliance and reporting capabilities. This role will be reporting to the Directory, Payments Cybersecurity.

What will I be doing?

• Responsible for the development and maintenance of PRESTO cybersecurity policy and standards in alignment with applicable compliance and regulations 
• Responsible for ensuring PRESTO information Security risk and compliance activates related to maintaining full compliance to PCI, Privacy (FIPPA) and OPTIC
• Provides appropriate update and reports to internal and external stakeholders including SMT, AFaRM, auditors and others as appropriate
• Responsible for defining the process for requesting an exception from defined cybersecurity policy and standards, and define monitoring processes and related metrics to track risks associated with approved exceptions
• Responsible to design Information Security  performance KPI’s (including but not limited to NIST CSF scoring) and report on them to appropriate stakeholders
• Advises various business teams as well as Presto Technology teams and provides expertise on cybersecurity issues. (e.g. Cyber Security and Payment Card Industry Standards and Provincial Privacy Laws) 
• Responsible for the education and awareness via cyber training and awareness program to ensure Metrolinx staff and contracted vendors (with physical or logical access to PRESTO assets) conform to the Cybersecurity Policy
• Assists Performance Reporting, Product Operations and Product Delivery with the ongoing monitoring of third-party performance against security requirements and controls, including:
  • Attendance at periodic vendor performance evaluation meetings
  • Implementation of internal control measures to corroborate security reports from third parties
  • Reviews of vendor security control attestation reports and assesses the implications of gaps/breaches as they occur.
  • Provides input into the renewal/termination of contractual arrangements for outsourced services as contract periods lapse

What Skills and Qualifications Do I Need?

• Completion of a degree in Business, Engineering, Information Systems, Computer Science or a related discipline – or a combination of education, training and experience deemed equivalent
• Demonstrated experience in progressively advancing roles within IT or related function of which have demonstrated experience in the field of IT Security / Cybersecurity, track record of competency in a combination of risk management and cybersecurity management in IT 
• Professional security management certification is an asset, such as, Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in Governance of Enterprise IT (CGEIT), Certified Risk and Information Systems Controls (CRISC), Certified Information Systems Auditor (CISA) or other similar credentials an asset
• Leadership, problem solving, interpersonal, and oral/written/presentation skills 
• Knowledge and experience in coordination of internal and external stakeholders and management of sourcing contracts for IT products (hardware and software) and/or services 
• Interpersonal, oral, written and presentation skills to brief and update senior leadership prepare reports and project related materials, deliver presentations and provide subject matter expertise to consultants, staff and related decision makers

Don’t Meet Every Requirement?  If you’re excited about working with Metrolinx but your past experience doesn’t quite align with every qualification of this posting, we encourage you to apply. You just might be the right candidate for this or other roles. We are always looking for great talent to join our team.
  We invite all interested individuals to apply and encourage applications from members of equity-deserving communities, including those who identify as Indigenous, Black, racialized, women, people with disabilities, and people with diverse gender identities, expressions and sexual orientations.
  Accommodation: We value the unique skills and experiences each person brings to Metrolinx and are committed to creating and maintaining an inclusive and accessible environment. We are committed to the requirements of the Accessibility for Ontarians with Disabilities Act so if you require accommodation during the hiring process, please let our Recruitment team know by contacting us at: 416-202-5601 or email hr.recruitment@metrolinx.com.
  Application Process: All applicants must be legally entitled to work in Canada. Metrolinx will be using email to communicate with you for all job competitions. It is your responsibility to include an updated email address that is checked daily and accepts emails from unknown users. As we send time-sensitive correspondence, we recommend that you check your email regularly. If no response is received, we will assume you are no longer interested in pursuing the opportunity. Please be advised that a Criminal Record Check may be required of the successful candidate. 
  Should it be determined that any background information provided is misleading, inaccurate or incorrect, Metrolinx reserves the right to discontinue with the consideration of your application.
  We thank all applicants for their interest, however, only those selected for further consideration will be contacted.
  WE ARE AN EQUITABLE AND INCLUSIVE EMPLOYER.
 #LI-SS1