Threat Risk Assessment (TRA) Specialist / Penetration Testing (PT) Specialist – Senior
Threat Risk Assessment (TRA) Specialist / Penetration Testing (PT) Specialist \u2013 Senior<\/b>
<\/div>
<\/div>
Client:<\/b> Government of Nova Scotia \u2013 Cyber Security & Digital Solutions (CSDS)
<\/div>
<\/div>
Project:<\/b> Land Modernization Initiative (LMI)
<\/div>
<\/div>
Location:<\/b> Halifax, Nova Scotia (Remote with optional onsite work)
<\/div>
<\/div>
Contract Duration:<\/b> July 20, 2026 \u2013 May 31, 2027
<\/div>
<\/div>
Engagement Type:<\/b> Competitive\-Sourced
<\/div>
<\/div>
Work Arrangement:<\/b> Remote (with occasional collaboration with CSDS stakeholders)
<\/div><\/div>
<\/div><\/div>
Project Overview<\/b>
<\/div>
<\/div>
The Government of Nova Scotia is seeking experienced cybersecurity professionals to support the Land Modernization Initiative (LMI), a major transformation program modernizing the Province\u2019s Land Registry services.
<\/div>
<\/div>
The selected consultants will work closely with the CSDS/LMI Technical Manager, Cyber Security and Risk Management (CSRM) team, and business stakeholders to conduct:
<\/div>
<\/div>
- Threat Risk Assessments (TRA)
<\/li> - Penetration Testing (PT)
<\/li> - Security risk analysis
<\/li> - Vulnerability assessments
<\/li> - Security recommendations and remediation guidance
<\/li><\/ul>The initial engagement focuses on the MVS 1.0 release, with potential future work supporting releases 1.1, 1.2, and 1.3.
<\/div><\/span>Requirements<\/h3>
Key Responsibilities<\/b>
<\/div>Threat Risk Assessment (TRA)<\/b>
<\/div>Scope<\/b>
<\/div>- Identify and document security threats, vulnerabilities, and risks across the Nova Scotia Land Registry ecosystem.
<\/li> - Assess people, processes, technologies, communications, and information assets.
<\/li> - Evaluate likelihood and business impact of identified risks.
<\/li> - Recommend mitigation strategies and security controls.
<\/li> - Perform assessments using the NIST SP 800\-53 Revision 5 High Baseline framework.
<\/li> - Review security certifications and reports including:
<\/li>- ISO/IEC 27001
<\/li> - ISO/IEC 42001
<\/li> - SOC 2 Type II
<\/li> - PCI DSS
<\/li><\/ul><\/ul>Activities<\/b>
<\/div>- Conduct workshops and stakeholder interviews.
<\/li> - Review system architecture, integrations, and data flows.
<\/li> - Analyze operational effectiveness of security controls.
<\/li> - Assess compliance across applicable NIST control families.
<\/li> - Document threat actors, attack vectors, vulnerabilities, and risk treatments.
<\/li> - Produce executive and technical reports.
<\/li> - Present findings to senior leadership and project stakeholders.
<\/li><\/ul>Penetration Testing (PT)<\/b>
<\/div>Scope<\/b>
<\/div>Conduct penetration testing against:
<\/div>- Web Applications
<\/li> - APIs
<\/li> - Cloud Environments
<\/li> - Networks
<\/li> - Mobile Applications
<\/li> - Endpoints
<\/li><\/ul>Testing Methodologies<\/b>
<\/div>- White Box Testing
<\/li> - Grey Box Testing
<\/li> - Black Box Testing
<\/li><\/ul>Activities<\/b>
<\/div>- Execute penetration testing using industry best practices.
<\/li> - Identify, validate, and document vulnerabilities.
<\/li> - Analyze prior security testing results.
<\/li> - Conduct remediation verification and retesting.
<\/li> - Produce executive and technical reports.
<\/li> - Immediately escalate Critical vulnerabilities using CVSS standards.
<\/li> - Participate in ongoing security assessments and risk management activities.
<\/li><\/ul>Required Deliverables<\/b>
<\/div>Threat Risk Assessment Deliverables<\/b>
<\/div>- Draft TRA Report
<\/li> - Final TRA Report
<\/li> - Completed TRA Checklist
<\/li> - Risk Response Form
<\/li> - Executive Presentation
<\/li><\/ul>Penetration Testing Deliverables<\/b>
<\/div>- Final Penetration Testing Report
<\/li> - Executive Presentation
<\/li> - Remediation Validation / Retest Results
<\/li><\/ul>Mandatory Qualifications (Required)<\/b>
<\/div>Candidates who do not meet the following requirements should not be submitted.
<\/div>Threat Risk Assessment Requirements<\/b>
<\/div>Mandatory Experience<\/b>
<\/div>- Minimum 3 years of experience conducting Threat Risk Assessments (TRAs) on digital systems.
<\/li> - At least one proposed resource must have completed <\/span>two (2) or more TRAs on digital systems within the last three (3) years<\/b>.
<\/li>- Experience conducting TRAs within Canadian public sector environments.
<\/li>- Experience working with:
<\/li>- NIST SP 800\-53
<\/li> - ISO/IEC 27001
<\/li> - ISO/IEC 42001
<\/li> - SOC 2 Type II
<\/li> - PCI DSS
<\/li><\/ul> - Experience assessing:
<\/li>- Cloud environments (AWS, Azure)
<\/li> - Network infrastructure
<\/li> - Enterprise applications
<\/li> - Technology platforms
<\/li><\/ul> - Ability to work with business, security, and technical teams.
<\/li><\/ul>Mandatory Documentation<\/b>
<\/div>- Criminal Record Check completed within the last six (6) months.
<\/li><\/ul>Penetration Testing Requirements<\/b>
<\/div>Mandatory Experience<\/b>
<\/div>- Minimum 3 years of experience conducting penetration testing.
<\/li> - At least one proposed resource must have completed <\/span>two (2) or more penetration tests within the last twelve (12) months<\/b>.
<\/li>- Experience conducting penetration testing in Canadian public sector organizations.
<\/li>- Strong experience testing:
<\/li>- Web applications
<\/li> - APIs
<\/li> - Cloud environments
<\/li> - Networks
<\/li> - Enterprise systems
<\/li><\/ul><\/ul>Mandatory Certifications<\/b>
<\/div>Tier 1 Certification (Required)<\/b>
<\/div>At least one proposed resource must hold one of the following:
<\/div>- OSCP (Offensive Security Certified Professional)
<\/li> - CREST CRT (Registered Penetration Tester)
<\/li><\/ul>Tier 2 Certification (Required)<\/b>
<\/div>At least one proposed resource should hold one of the following:
<\/div>- CEH Master
<\/li> - GPEN
<\/li> - CompTIA PenTest+
<\/li><\/ul>Mandatory Documentation<\/b>
<\/div>- Criminal Record Check completed within the last six (6) months.
<\/li><\/ul>Preferred Qualifications<\/b>
<\/div>The following are considered strong assets:
<\/div>Security Certifications<\/b>
<\/div>- CISSP
<\/li> - CISM
<\/li> - CRISC
<\/li> - OSCP
<\/li> - CREST CRT
<\/li> - CEH Master
<\/li> - GPEN
<\/li> - CompTIA PenTest+
<\/li><\/ul>Government Experience<\/b>
<\/div>- Previous experience performing Threat Risk Assessments for Canadian government organizations.
<\/li> - Previous experience conducting Penetration Testing for Canadian government organizations.
<\/li> - Direct experience supporting the Government of Nova Scotia.
<\/li> - Familiarity with Government of Nova Scotia cybersecurity standards, risk frameworks, and governance processes.
<\/li><\/ul>Technical Skills<\/b>
<\/div>Candidates should demonstrate expertise in:
<\/div>- Threat Risk Assessment Methodologies
<\/li> - Penetration Testing Methodologies
<\/li> - NIST SP 800\-53 Rev. 5
<\/li> - ISO/IEC 27001
<\/li> - ISO/IEC 42001
<\/li> - SOC 2 Type II
<\/li> - PCI DSS
<\/li> - Cyber Risk Management
<\/li> - Vulnerability Assessment
<\/li> - Security Architecture Review
<\/li> - Risk Analysis and Treatment Planning
<\/li> - Security Control Assessment
<\/li> - Cloud Security (AWS / Azure)
<\/li> - Application Security
<\/li> - Network Security
<\/li> - Security Reporting and Executive Presentations
<\/li> - CVSS Scoring Framework
<\/li><\/ul>Evaluation Highlights<\/b>
<\/div>Candidates and vendors will be evaluated based on:
<\/div>- TRA experience and expertise
<\/li> - Penetration testing experience
<\/li> - NIST and security framework knowledge
<\/li> - Tier 1 and Tier 2 security certifications
<\/li> - Public sector cybersecurity experience
<\/li> - Government of Nova Scotia experience
<\/li> - Client references
<\/li> - Pricing competitiveness
<\/li><\/ul>This opportunity is ideal for senior cybersecurity consultants with proven expertise in both Threat Risk Assessments and Penetration Testing within government and highly regulated environments. The successful team will play a critical role in securing one of Nova Scotia's most significant digital modernization initiatives.
<\/div><\/span>
- TRA experience and expertise
- Threat Risk Assessment Methodologies
- Previous experience performing Threat Risk Assessments for Canadian government organizations.
- CISSP
- Criminal Record Check completed within the last six (6) months.
- CEH Master
- OSCP (Offensive Security Certified Professional)
- Experience conducting penetration testing in Canadian public sector organizations.
- Minimum 3 years of experience conducting penetration testing.
- Criminal Record Check completed within the last six (6) months.
- Cloud environments (AWS, Azure)
- Experience conducting TRAs within Canadian public sector environments.
- Minimum 3 years of experience conducting Threat Risk Assessments (TRAs) on digital systems.
- Final Penetration Testing Report
- Draft TRA Report
- Execute penetration testing using industry best practices.
- White Box Testing
- Web Applications
- Conduct workshops and stakeholder interviews.
- ISO/IEC 27001
- Identify and document security threats, vulnerabilities, and risks across the Nova Scotia Land Registry ecosystem.