Our client is seeking a professional IP security consultant to provide an IP Network and security vulnerability risk assessment at their new location that is the new operations center of the company in Montreal, located downtown.
The proponent is to provide consulting services for the NMRC IP security and intrusion project under the coordination of the project manager. The proponent participation may also be required for other sections of IP security projects to be specified.
The company is currently in transition phase moving between its old and new building. The consultant works at every aspect of the NMRC IP networks to provide all security measures and necessary materials to effectively protect the client's Network assets from unauthorized access and intrusion.
The consultant mandate is to act as a IP security expert, to participate in project meetings and help establish IP security specifications and recommend policies based on best industry practices, and then document the detailed needs of the company, and to accelerate the production of the required IP security plans and designs, IP vulnerabilities, IP security risk assessments, IP security specifications, implementation solutions and recommendations.
Proponent Activities under this Mandate
Risks, threat and vulnerability assessments of every aspect of the NMRC IP Networks, including:
» The professional IP security and intrusion proponent should act as an expert to advise stakeholders on subjects in his field of expertise. Identify security and intrusion solutions to specific needs and assist clients in determining (and documenting) needs
» With the client, the proponent is to establish the technology, the scope of the vulnerability
assessment and define the rules of engagement with a detailed execution plan. This also includes
access to the network to collect and gather IP security information, network diagrams, policies, and other required information from the client's Staff. The proponent must be familiar with and/or be able to, act upon and conduct the assessment as per the European Broadcasting Union (EBU) document R 148 “CYBERSECURITY RECOMMENDATION ON MINIMUM SECURITY TESTS FOR NETWORKED MEDIA EQUIPMENT” RECOMMENDATION Geneva April 2018 ( https://tech.ebu.ch/docs/r/r148.pdf ) and other Industry best practices including emerging practices
» Working with the client key stakeholders(who are already currently performing security assessments), the proponent is to perform internal security vulnerability assessments on traditional server and network infrastructure as well as “Internet of Things” technologies (e.g. microphones, cameras, etc.). The proponent must demonstrate the best methodology, the strategy of the security vulnerability assessment plans including the planning, the mitigation plan, the action plan to protect the client's assets, and networks (data, audio, video, files, images, codec, etc.)
» Based on the results of the internal security vulnerability assessments, the proponent is to identify and provide a clear understanding of the security risks and vulnerabilities discovered and recommend remediation action plans whose priorities will be executed in order or severity. The likelihood and impact of any particular threat and / or security weakness must be included in the analysis.
» The proponent’s analysis should include an assessment of potential threat risks to different network segments and security perimeters and across many different platforms and provide a gap analysis to isolate areas where the security does not meet the industry best practices.
» Once the remediation priorities have been described and identified, the proponent in conjunction with the ePMO and Information Security is to assist in carrying out the remediations from an advisory role only.
» Once the environment has had the remediations applied, a separate party will conduct a penetration testing exercise to verify the remediation controls put in place and to identify any other gaps that may have been identified during the exercise such as: anticipate potential sources of new IP security threats; make recommendations and guidelines in implementing IP security measures to mitigate any areas of vulnerability to reduce the risks; strengthen the internal access controls to mitigate future problems; recommend the implementation of security measures and provide technical guidance and advice as required; recommend monitoring activities to help keep the environment in check and respond to incidents accordingly and in line with our current incident management guidelines. These recommendations may be posed back to the proponent for comment and / or investigation and remediation.
Service Requirements – Qualifications:
The proponent must have a significant amount of experience in information security (+10 years) and specifically experience in information security architecture, security vulnerability risk assessments, remediation methods, project management and pentest exercises. Proponent experience should include “Internet of Things” knowledge and current IP and network security knowledge and testing experience and with broadcast experience being an asset.
? Excellent analytical, evaluative, and problem-solving abilities
? Extensive knowledge of security technology and risk assessment methodologies, policies and
processes and current/emerging industry best practices
? Must have the ability to work independently and multi-task effectively
? This individual will have excellent written and oral communication skills, as well as interpersonal skills including the ability to articulate to both technical and non-technical audiences. The ideal proponent will be exceptionally self-motivated and directed
? The ideal proponent will have 10+ years of experience working within the technical and project arena
? Strong knowledge and experience with IP network designs and secure designed infrastructures including firewalls, routers, switches, access control and “Internet of Things” technologies
? Experience with compliance programs as well as their technical and security requirements
? Knowledge/Experience in Internet Filtering Technologies, DNS, Active Directory, IAM, LANS, WANs, Routers, Firewalls, IDS systems, Virtual Server Systems, Encryption Technologies, Windows, Linux and embedded operating systems.
? Ability to scan large networks using vulnerability scan tools and write risk mitigation plans according to the assessment.
? A university degree in the field of computer science, IT or Information Security
? Experience in security standards such as ISO 27001, 27002, 27005; NIST, COBIT, ITIL
? Technical certifications within the area Security are a strong plus (CISSP, CRISC, CBCP, CISA, CISM or equivalent)
? The proponent must be familiar with and/or be able toact upon and conduct the assessment as per the European Broadcasting Union (EBU) document R 148 “CYBERSECURITY RECOMMENDATION ON MINIMUM SECURITY TESTS FOR NETWORKED MEDIA EQUIPMENT” RECOMMENDATION Geneva April 2018 (https://tech.ebu.ch/docs/r/r148.pdf)
? The proponent’s position fosters collaborative work amongst various professionals, technology leaders and client representatives to find optimum solutions that meet corporate strategic directions and objectives in the deployment of advanced information security technologies.
? The proponent requires the ability to communicate in a clear, concise and effective manner, listening, writing, reading and speaking. Tact and diplomacy is an essential requirement. Capable of providing clear, concise communication on technology issues to the client Senior Management as required. Requires knowledge and understanding of the topic under discussion and an ability to explain technical terminology to individuals who do not have the appropriate expertise.
In order to give the client the best possible results, we estimate that the work and the intervention will have to be carried out over a period of six (6) months with an estimated frequency of 5 days a week of work. The proponent should provide the NMRC with a final quote for 6 months of work, at a rate of 40 hours + per week for the IP security work on the NMRC project. Given the current COVID-19 situation, work will most likely be performed remotely with occasional visits to the new MRC building if required any PPE (Personal Protection Equipment, such as face masks) will have to be provided by the selected Supplier / Consultant.