Cloud Security Engineer

Ontario Securities Commission

The Ontario Securities Commission is an independent Crown agency that regulates Ontario’s capital markets by making rules that have the force of law and by adopting policies that influence the behaviour of capital markets participants.

Business Unit: Fixed Term (Fixed Term), Full time

Closing Date: March 14, 2025

The Ontario Securities Commission (OSC) is the statutory body responsible for regulating Ontario’s capital markets in accordance with the mandate established in the provincial Securities Act and the Commodity Futures Act. The mandate of the OSC is to provide protection to investors from unfair, improper or fraudulent practices, to foster fair, efficient and competitive capital markets and confidence in the capital markets, to foster capital formation, and to contribute to the stability of the financial system and the reduction of systemic risk. This mandate is performed through policy, operational, and enforcement activities. The OSC also contributes to national and global securities regulation development.

We offer a diverse, fair, and flexible work environment and take pride in our challenging and rewarding work.

Fixed-Term Contract (Up to 6 months)

The Cloud Security Engineer is the subject matter expert on Cyber systems security, responsible for providing technical leadership in cyber security. This role is responsible for having a deep understanding of current OSC Cyber Security systems, the broader technological environment and playing a pivotal role in ensuring the implementation of solid cyber security solutions in support of the IT modernization. The Cloud Security Engineer will design and implement security systems to protect the OSC’s compute environment, networks, and systems from cyber-attacks while helping to maintain a solid security posture. They will monitor systems, detect security threats ('events'), analyze alarms, report on threats or intrusion attempts, while taking the necessary remediation steps by either resolving them or escalating them to the appropriate owner. This role supports the Chief Technology Officer, Chief Information Security Officer and the Manager, Technology Services in performing the project and operational work required for the OSC’s Information Security Program.

Key Duties and Responsibilities

Information Security Systems Implementation

• Responsible for vendor management, identifying new technology, resolving vendor issues, negotiating statements of work and design solutions.
• Accountable for the implementation of the OSC’s security systems or controls.
• Work closely with the Information Security Office during the implementation of technology projects.
• Implements and configure cyber security tools and integration components working with the infrastructure and Enterprise Architecture units to ensure optimal integration between platforms.
• Assist infrastructure teams in troubleshooting cyber security related integration issues and provides guidance on appropriate technological resolutions.
• Work closely with Management on the procurement process to evaluate vendors and assessment products based on defined requirements.
• Test and evaluate new security products to assess alignment with OSC ecosystem and make recommendation to Management.

Management of OSC Compute, Network and System Security Activities

• Identify, prioritize, and mitigate vulnerabilities across all assets in the OSC to ensure that Security incidents & Vulnerability/Patch Management is proactively managed, and security issues are triaged and remediated.
• Act as change agent for the OSC cyber security & infrastructure technological landscape, understanding the current cyber security state and ensuring the materialization of the cyber security structures required to support the IT roadmap.
• Monitor and take the necessary action on attacks, intrusions, unusual/unauthorized activity, phishing emails and spam activity.
• Monitor and take the necessary action on identity and access management systems for abuse of permissions.
• Investigate security alerts/breaches and provide the necessary incident response while providing recommendations to remediate the issue.
• Proactively determine emerging threat patterns / vulnerabilities and identify potential weaknesses using advanced analytic tools and appropriate security controls.
• Research and evaluate emerging cyber security threats and make recommendations on approaches and strategies to mitigate them.
• Liaise with the Information Security Office and stakeholders in relation to security issues and to provide recommendations.
• Generate qualitative reports on privileged accounts and vulnerabilities (etc.) for both technical and non-technical staff to understand our security risk and monitor progress on the necessary remediations.

Information Security Standards/Procedures

• Develop and maintain documentation for various security systems and applications.
• Keep up to date with the latest security and technology developments.
• Assist with the creation, maintenance, and delivery of information security awareness training campaigns.
• Plan for disaster recovery and create contingency plans in the event of any security disruptions to normal operations.

Qualifications

• A relevant degree in Computer Science or a comparable field of study, or certificate in Information Security (or equivalent experience).
• Industry certifications such as CISSP, Certified Information Systems Security Professional or GISP, GIAC Information Security Professional are preferred.
• A minimum of 7-10 years of relevant experience in IT security or information risk management.
• Strong knowledge of technology and security topics including network and application security, infrastructure hardening, security baselines, web server, and database security.
• Solid understanding of general networking principles and common protocols.
• Familiar with ISO/IEC 27000 family of standards for Information Security Management, NIST series of standards related to Information Security and Risk Management and other best practices for information security.
• Good working knowledge of various security technologies such as network and application firewalls, segmentation, policy management, proxies, web filtering, SIEM, end point protection, secure remote access solutions (VPN, SSO & MFA), anti-virus and security operations.
• Experience in vulnerability assessment scanning, secure code, and infrastructure security reviews for internal and external facing (web) applications.
• Experience with system development lifecycles (SDLC) and embedding security assurance into the planning, implementation, testing and deployment of solutions.
• Experience with Public Key Infrastructure (PKI) management.
• Experience with cloud security & integration (preferably Azure Cloud).
• Experience with Palo Alto Firewalls, PRISMA and related technologies.
• Experience with Azure Premium Firewalls, Network Security Group (NSG) and related technologies.
• Experience with Cisco switches and related technologies.
• Familiarity with some or all of Microsoft Security set of products, and depth experience in at least 1 of the following: Azure Sentinel, Azure Security Center (ASC), Windows Defender Advanced Threat Protection (WDATP), Microsoft Cloud App Security Broker (CASB) Solutions - Microsoft Cloud App Security (MCAS) / Office 365 Cloud App Security (OCAS) / Azure AD Cloud App Discovery, Office 365 Advanced Threat Protection (O365 ATP), Office 365 Threat Intel (O365 TI), Azure Advanced Threat Protection (Azure ATP).
• Solid understanding of TCP/IP, BGP, OSPF and related protocol stack.
• An understanding of the information security risks associated with various technologies and ways to manage them.
• Familiar with ITIL Change Management process.
• Analytical and problem-solving skills to identify and assess risks, threats, patterns, and trends.
• Strong oral and written communication skills.
• Excellent attention to detail.
• Teamworking skills to collaborate with team members and clients.
• An ability to work under pressure, particularly when dealing with threats and at times of high demand.
• Time-management and organizational skills to manage a variety of tasks/competing priorities and meet deadlines.
• Integrity and a passionate commitment to IT security as a profession.

Grow your career and make a difference working at the OSC.

We thank all applicants for their interest in the Ontario Securities Commission. We will contact those selected for an interview.

The OSC is committed to diversity and providing an inclusive workplace and providing accommodation in accordance with the Accessibility for Ontarians with Disabilities Act and the Human Rights Code. It is our priority to ensure employment opportunities are visible and barrier-free to all under-represented groups including but not limited to, Indigenous, Black and racialized groups, people with disabilities, women and people from the 2SLGBTQI+ community, to achieve an employee demographic profile reflective of the demographic profile of Ontarians.

If you require an accommodation during the recruitment process, please let us know by contacting our confidential inbox HRRecruitment@osc.gov.on.ca.

Visit Accessibility at the OSC to review the OSC’s policies on accessibility and accommodation in the workplace.