Status: Full time, indefinite
Location: Ottawa, Ontario, or Toronto, Ontario, or remote
Closing date: September 4, 2025
Salary range: $98,940 to $123,420 per year
Canada’s Drug Agency is a pan-Canadian health organization. We are an independent, not-for-profit organization headquartered in Ottawa, with a satellite office in Toronto. Created and funded by Canada’s federal, provincial, and territorial governments, we drive better coordination, alignment, and public value within Canada’s drug and health technology landscape. We provide Canada’s health system leaders with independent evidence and advice so they can make informed drug, health technology, and health system decisions, and we collaborate with national and international partners to enhance our collective impact.
We are proud to be a 2025 National Capital Region Top Employer. Canada’s Drug Agency was named one of the National Capital Region’s top employers for the second year in a row. This recognition celebrates our dedication to fostering a work environment that nurtures growth; innovation; and inclusion, diversity, equity, and accessibility (IDEA). It reaffirms our ongoing efforts to create an outstanding workplace where our employees thrive and feel valued.
Most of our employees participate in a hybrid workspace arrangement that allows for flexibility and enhanced work-life balance. We believe in the positive impact of in-person collaboration and the importance of team building. Added consideration is given to qualified candidates who live near our offices and can participate in a hybrid arrangement. Those applying must be located in Ontario, except in rare circumstances where the employment position is remote.
Primary Focus
The Senior IT Risk Management Analyst is responsible for identifying, assessing, and mitigating risks to our information systems and data. This role involves conducting thorough cybersecurity and information systems risk assessments for existing and future solutions, developing and implementing mitigation strategies, and ensuring compliance with relevant cybersecurity regulations and standards. The Senior IT Risk Management Analyst will work closely with various internal partners to ensure that our information security policies and practices are effectively implemented and maintained, including performing security audits, monitoring potential threats, and responding to security incidents.
What do the daily responsibilities look like?
On any given day, the Senior IT Risk Management Analyst will work on the following:

IT Risk Management

• Conduct comprehensive risk assessments of information systems and data processes to identify potential threats and vulnerabilities
• Evaluate the impact of identified risks on IT business operations
• Develop, prioritize, implement, and monitor risk mitigation strategies and controls to protect digital information assets
• Maintain a risk register and regularly update it with new risks and mitigation measures
• Work with business units to perform business impact analyses and develop risk treatment plans
• Complete threat risk and management and privacy impact assessments
• Work closely with the Strategy and Governance team to ensure alignment with corporate risk management and business continuity planning activities
• Assess and manage risks associated with third-party vendors and service providers, and develop and maintain a vendor risk management program, including policies and procedures for onboarding and monitoring vendors
• Ensure vendor contracts include appropriate security requirements and service level agreements

Policy and Procedure Development

• Lead the development, implementation, and enforcement of information security policies, standards, and procedures
• Ensure policies and procedures are aligned with regulatory requirements, industry best practices, and organizational goals
• Review and update security policies regularly to address emerging threats and changing business needs

Incident Response

• Lead the response to information security incidents, including investigation, containment, eradication, and recovery
• Develop and maintain incident response plans, ensuring they are tested and updated regularly
• Coordinate with internal and external partners during security incidents to ensure timely and effective resolutions
• Prepare detailed incident reports and postincident analyses to identify lessons learned and improve response processes

Security Awareness and Training

• Partner with the People and Culture team, source and/or develop and deliver information security awareness training programs (e.g., presentations, videos, newsletters) for employees at all levels
• Conduct regular internal phishing simulations and other security exercises to assess and improve employee readiness
• Stay current with emerging threats, vulnerabilities, and security technologies through ongoing education and professional development; and recommend and implement improvements to the information security program based on industry trends and best practices
• Collaborate with other business units to identify opportunities for enhancing overall security posture

Audit and Compliance

• Ensure compliance with relevant regulations, such as PHIPA, FIPPA, PIPEDA, and PCI DSS
• Develop and maintain documentation to support audit and compliance activities
• Work with auditors to address findings and implement corrective actions

Is this the right role for you?

THE FOLLOWING ARE CONSIDERED ASSET QUALIFICATIONS:

• the ability to work effectively in French (written, verbal, and comprehension)
• experience with security tools such as SIEM, IDS and/or IPS, DLP, and vulnerability management systems
• knowledge of cloud security and experience with cloud platforms such as AWS, Azure, or Google Cloud
• proficiency using risk management software and tools
• experience developing and delivering security awareness training programs.
  What’s in it for you?

Please refer the Job description for details