POSITION DESCRIPTION
Ministry Responsible for Liquor Distribution Branch
BC Liquor Distribution Branch
POSITION TITLE:
IT Senior Security Analyst
POSITION
NUMBER(S):
IS1275
DIVISION:
(e.g., Division, Region, Dept)
Information Services
UNIT:
(e.g., Branch, Area, District)
IT Risk and Support Services
LOCATION:
Vancouver
APPROVED
CLASSIFICATION
IS R27
CLASS CODE
SUPERVISOR’S TITLE:
Manager, Compliance and Policy
SUPERVISOR’S
CLASSIFICATION:
Applied Leader
POSITION
NUMBER
PHONE
NUMBER:
IS1400
PROGRAM
The Liquor Distribution Branch (LDB) is one of the largest distributors and retailers of beverage alcohol in Canada,
generating a net income of approximately $935 million on annual sales of approximately $3.1 billion. The Branch operates
approximately 200 retail stores across the province, oversees the operations of Rural Agency Stores and has the role of
wholesaler to approximately 700 private liquor retail outlets and 8,000 licensed establishments. The LDB is a unique
government entity that operates with similar independence to a Crown Corporation under the direction of a General
Manager.
PURPOSE OF POSITION
Advising senior management, the IT Senior Security Analyst works with business stakeholders and leads the
implementation of key branch security strategies and projects. This position comes with a high degree of authority and
autonomous decision making. The IT Senior Security Analyst is responsible for assessing security risks and identifying
control requirements and is focussed on creating solutions to address control needs.
The IT Senior Security Analyst in collaboration with IT Project Teams, architects, and administrators, assesses systems
and provides security advice and recommendations to LDB business and IT Leadership during the design, development,
deployment and maintenance of systems. The IT Senior Security Analyst also leads initiatives to improve the LDB's
information security policies and standards and address the changing scope of security threats and computer
technologies. The IT Senior Security Analyst works closely with business leaders and technical teams to ensure
information security is an integral component of business processes and IT applications.
NATURE OF WORK AND POSITION LINKS
The LDB relies on an extensive, multi-faceted, increasingly complex network of IT infrastructure and applications to
operate its multitude1 of mission-critical ordering, inventory, supply chain, retail, wholesale and corporate2 operations.
Security threats are increasing in frequency, intelligence and severity. The LDB’s operational environment is undergoing
significant changes (e.g. including e-retailing, cloud computing and mobile access). Traditional security solutions may be
inadequate in the face of multiple security challenges.
The IT Senior Security Analyst is relied upon, as the LDB’s authoritative expert on information security and risk
management, to apply expertise that influences the secure design and deployment of IT applications and business
processes. The work involves considerable complexity, multiple applications and a wide variety of technologies. The
Senior Security Analyst operates within a wide scope of responsibility, leading the LDB’s application security and risk
management program to ensure the protection of IT information assets across LDB’s entire operation.
To accomplish its objectives, the position develops and maintains relationships with:

Director: provides expert advice and guidance regarding all aspects of information security and risk management
1
The LDB ISD supports 400+ business processes, 60+ critical operations across 600+ servers using multiple geographically separated
active-active data centres
2
including: financial, human resources and other information management applications
81901047
1








policies, procedures and best practices; receives decisions; and provides progress reports.
Other IT Security personnel (e.g. network security, security architect): collaborates on the development and
deployment of information security policies, best practices and methods.
LDB Business Leaders/Clients: provides expert advice and recommendations to ensure business practices
incorporate information risk management strategies; collaborates on projects; enhances understanding of policies,
procedures and best practices; explains risks and risk mitigation strategies; receives decisions regarding 'acceptable
risks;' and exchanges information.
Internal (within LDB or within government) or external IT service providers and vendors: represents the LDB
interests regarding the advancement of IT security and risk management objectives; collaborates on projects; and
exchanges information.
Project team members: leads project teams, provides functional direction to project team members, delegates
tasks, monitors performance and ensures deliverables are achieved within budgets and timelines.
LDB internal/external clients, suppliers, partners: provides advice and guidance regarding IT security and risk
management programs, and exchanges information regarding security threats and issues.
Financial Services: receives guidance on complex procurement issues.
Technical expertise forums: participates in, and monitors developments in IT security tactics to maintain a robust
working knowledge of current and future potential security threats and best practices.
Contractors: manages procurement processes; negotiates contracts and monitors performance.
SPECIFIC ACCOUNTABILITIES / DELIVERABLES
1. Provides senior consulting services and authoritative information security expertise:
a. To guide the secure design, development, deployment and maintenance of the LDB's IT applications.
b. To provide options and recommendations for the LDB's response to information security-related threats,
trends, issues, and developments.
c. To ensure all aspects of information security requirements are identified and addressed throughout the LDB's
system development life cycle3.
2. Leads initiatives to improve the LDB's information security policies and standards and address the changing scope of
security threats and computer technologies.
3. Provides expert advice and recommendations to business leaders throughout the LDB:
a. Interprets and explains policies and procedures; and provides security advice.
b. Analyzes business processes and identifies information security deficits/requirements.
c. Provides assistance to ensure business processes address new threats, and maintain compliance with
government information security management policies, standards and industry best practices.
d. Negotiates the remediation of non-compliance issues.
e. Provides support to ensure business users develop and implement secure methods to meet business needs.
f. Develops and maintains a thorough understanding of business information security requirements.
4. Identifies and remedies information security issues:
a. Leads or contributes to the identification of security threats.
b. Collaborates with technical teams on the identification and remediation of security incidents.
c. Develops security solutions and alternatives to meet business requirements.
d. Establishes information security parameters, security controls and validation processes for information
systems projects.
5. Leads information security-related research and analytical projects:
a. Investigates, defines and quantifies internal/external information security risks (including security and
compliance deficiencies).
b. Conducts research and performs qualitative/quantitative analysis (e.g. including cost/benefit analysis) to
develop and recommend cost-effective strategies to reduce information security project risks to acceptable
levels (as agreed by business clients).
6. Collaborates with team leads, clients, engineers, and developers to translate functional objectives into technical
security requirements, and to implement information security risk prevention/mitigation strategies. Follows-up to
ensure success.
7. Leads and manages compliance review projects.
8. Contributes to, or coordinates, information security audits.
9. Leads and manages or contributes to information security projects with team members from within the branch, LDB,
other agencies and/or contractors (e.g. develops project charters; leads and manages project teams; identifies project
resource requirements, including capital budgets; delegates tasks; evaluates and recommends options; manages
performance relative to objectives; initiates corrective action when necessary; manages project reporting; and
ensures project deliverables are achieved within project parameters). Provides functional direction to project team
3
Including the: initiation, definition, design, development, implementation, and follow-up phases.
81901047
2
members: monitors performance and provides expert advice and guidance.
10. Establishes and reports on metrics to monitor the effectiveness of security and compliance efforts and prepares
status reports.
11. Leads the design and implementation of initiatives (e.g. formal/informal training, communications, etc.) to increase
understanding of information security throughout the LDB.
12. Creates documentation for information security processes and procedures.
13. Contributes to projects and initiatives to ensure data and service confidentiality, integrity and availability.
14. Provides assistance to the Business Continuity, Incident Response and Disaster Recovery program (e.g. working with
business leaders to facilitate business impact analyses, develop plans, conduct table-top sessions and tests, etc.)
15. Contributes to procurement processes for vendors and contractors (e.g. recommends contract terms, deliverables
[including service level agreements], and timelines, and signs-off on completion). Oversees vendor performance
relative to service agreements and initiates corrective action to remedy performance deficits.
16. Develops and maintains an in-depth understanding of the LDB’s vision, mission and business priorities.
17. Prepares and contributes to the preparation of briefing notes, reports, publications, project charters, presentation
materials, contracts, training materials, correspondence, website content and other documents (e.g. including
business and strategic plans).
18. Maintains expertise in current/emerging technology trends and developments in the information security industry
including security principles, methodologies, standards, mechanisms and techniques.
19. Performs other related duties.
FINANCIAL RESPONSIBILITY
 Conducts cost-benefit analyses.
 Participates in procurement processes for vendors and contractors (e.g. signs-off on completion) and oversees
performance.
DIRECT SUPERVISION (i.e., responsibility for signing the employee appraisal form)
# of Regular FTE’s
# of Auxiliary FTE’s
Directly supervises staff
0
0
Supervises staff through subordinate supervisors
0
0
Role
PROJECT /TEAM LEADERSHIP OR TRAINING (Check the appropriate boxes)
Role
Supervises students or volunteers
Lead project teams
# of
FTE’s
0
<10
Role
Provides formal training to other staff
Assigns, monitors and examines the work of staff
# of
FTE’s
<10
<10
SPECIAL REQUIREMENTS
Criminal record check required.
TOOLS / EQUIPMENT
Standard office equipment
WORKING CONDITIONS
Standard office environment
WORK EXAMPLES
COMMENTS
81901047
3
PREPARED BY
NAME:
DATE:
Erin McEwan
October 2015
EXCLUDED MANAGER AUTHORIZATION
I confirm that:
1. the accountabilities / deliverables were assigned to this position effective: May 2015
2. the information in this position description reflects the actual work performed.
3. a copy has / will be provided to the incumbent(s).
NAME:
Erin McEwan,
Director, IT Risk and Support Services
SIGNATURE:
DATE:
October 2015
ORGANIZATION CHART
81901047
4
STAFFING CRITERIA
Education and Experience:

A degree in computer science, IT audit or a related field, and a minimum of 4 years of recent, related experience;* OR

A combination of education, training and experience will be considered.
*Recent, related experience must include:
 experience identifying information risks
 experience identifying, testing and assessing controls and identifying remediation to mitigate risk
 experience applying security principles, methodologies, standards, and controls across a wide range of current/
emerging information technologies
 experience in analysing and documenting business processes and mapping them to business systems is desirable
 project and contract management experience
 experience working with and interviewing business and IT stakeholders
Preference may be given to candidates with any of the following:


Current professional designation as a Certified Information Systems Security Professional (CISSP) or Certified
Information Security Manager (CISM), Certified Information Systems Auditor (CISA), or equivalent
Experience as an IT professional in a retail/wholesale/distribution business environment
Knowledge of:
 Advanced knowledge of information security architecture, principles, standards, and best practices
 Security and privacy issues of government and the broader public sector and how they relate to business
requirements and privacy regulations
 System development life cycle
 Electronic service delivery environment (e.g. e-government)
 Multiple operating systems (e.g., Windows, Linux, Unix)
 LDB business operations and the retail/wholesale supply chain
 Project and contract management
Skills and Abilities:
 Ability to quickly gain understanding of data flows
 Well-developed written and oral communication, presentation / facilitation and inter-personal skills and attention to
detail when communicating, and the ability to communicate complex matters in a manner that can be understood by
the audience
 Ability to apply persuasion and influence management skills within area of expertise, to advance the LDB's
information security objectives
 Excellent analytical and judgement abilities; and problem solving skills
 Ability to manage multiple priorities/projects and produce results within deadlines
 Ability to lead and manage teams
 Commitment to continuous learning
81901047
5
COMPETENCIES
Conceptual Thinking is the ability to identify patterns or connections between situations that are not obviously related,
and to identify key or underlying issues in complex situations. It includes using creative, conceptual or inductive
reasoning or thought processes that are not necessarily categorized by linear thinking.
Planning, Organizing and Coordinating involves proactively planning, establishing priorities and allocating resources.
It is expressed by developing and implementing increasingly complex plans. It also involves monitoring and adjusting
work to accomplish goals and deliver to the organization's mandate.
Strategic Orientation is the ability to link long-range visions and concepts to daily work, ranging from a simple
understanding to a sophisticated awareness of the impact of the world at large on strategies and on choices.
Innovation indicates an effort to improve performance by doing or promoting new things, such as introducing a
previously unknown or untried solution or procedure to the specific area or organization.
Commitment to Continuous Learning involves a commitment to think about the ongoing and evolving needs of the
organization and to learn how new and different solutions can be utilized to ensure success and move the organization
forward.
Expertise includes the motivation to expand and use technical knowledge or to distribute work-related knowledge to
others.
Results Orientation is a concern for surpassing a standard of excellence. The standard may be one’s own past
performance (striving for improvement); an objective measure (achievement orientation); challenging goals that one has
set; or even improving or surpassing what has already been done (continuous improvement). Thus, a unique
accomplishment also indicates a Results Orientation
Building Partnerships with Stakeholders is the ability to build long-term or on-going relationships with stakeholders
(e.g. someone who shares an interest in what you are doing). This type of relationship is often quite deliberate and is
typically focused on the way the relationship is conducted. Implicit in this competency is demonstrating a respect for
and stating positive expectations of the stakeholder.
Teamwork and Co-operation is the ability to work co-operatively within diverse teams, work groups and across the
organization to achieve group and organizational goals. It includes the desire and ability to understand and respond
effectively to other people from diverse backgrounds with diverse views.
Holding People Accountable involves setting high standards of performance and holding team members, other
government jurisdictions, outside contractors, industry agencies, etc., accountable for results and actions.
81901047
6