Cybersecurity GRC Analyst

The Ontario Medical Association (OMA) advocates for and supports doctors, seeking to strengthen their leadership role in caring for patients. We continually seek to be the trusted voice in transforming Ontario’s health‑care system by courageously pursuing best practices, new ideas, solutions, and opportunities to improve.

This position is responsible for strengthening the Ontario Medical Association’s (OMA) information security governance, risk, and compliance program by operating within the second line of defense to provide oversight, independent validation, and risk-based advisory. Working within the Technology department and in close collaboration with the Information Security team, enterprise risk management, service providers, and business stakeholders, the role ensures cybersecurity risks are effectively identified, assessed, and managed across the organization.

It supports audit and regulatory readiness while embedding strong security practices and enabling the secure adoption of technology, including emerging areas such as artificial intelligence (AI). The Cybersecurity GRC Analyst advances the OMA’s strategic vision by fostering cross‑functional collaboration, promoting business agility, and influencing stakeholders to safeguard sensitive information.

• Maintaining and continuously improving cybersecurity policies, standards, and controls, ensuring alignment with recognized frameworks such as CIS, NIST, and ISO 27001.
• Serving as the primary point of contact for cybersecurity‑related audits, coordinating activities including evidence collection and remediation tracking.
• Overseeing security exception and risk acceptance processes.
• Integrating governance for artificial intelligence (AI) and emerging technologies into existing frameworks, including assessing associated organizational risks and providing guidance on regulatory and ethical considerations.

• Maintaining the enterprise cybersecurity risk register, including risk ratings, remediation expectations, and escalation thresholds.
• Assessing and documenting risks arising from vulnerabilities, incidents, third‑party findings, and control gaps.
• Developing and maintaining cybersecurity dashboards, key risk indicators (KRIs), and key performance indicators (KPIs).
• Providing regular reporting to senior leadership on emerging cybersecurity risks and overall security posture.

• Maintaining visibility of vulnerabilities across infrastructure, cloud, and applications, assessing business impact, particularly related to sensitive data exposure.
• Tracking remediation progress, escalating overdue critical items, and documenting residual risk and risk acceptance where remediation is deferred.

• Overseeing controls protecting sensitive data, including personal and health information (PII/PHI).
• Collaborating on data governance initiatives, including data classification and data loss prevention (DLP), and reporting on application and data‑related risks.
• Working closely with the Senior Security Architect to conduct threat modeling for new and existing applications and validate secure coding practices, SAST/DAST scanning, and remediation effectiveness.
• Reviewing and reporting on application risks related to identity and access management, API security, data protection, and third‑party dependencies.

• Overseeing quarterly privileged access and identity certification reviews.
• Reviewing major incident reports, validating root cause analysis and corrective actions.
• Monitoring recurring control failures and systemic weaknesses across infrastructure, applications, and AI systems.

• Conducting third‑party cybersecurity risk assessments, including vendors providing AI‑enabled services.
• Monitoring remediation commitments and risk acceptance documentation.
• Facilitating periodic technical and management tabletop exercises.
• Supporting phishing simulations and broader cybersecurity awareness initiatives.

• University…