Threat Risk Assessment (TRA) Specialist / Penetration Testing (PT) Specialist – Senior
Indexed description
Client: Government of Nova Scotia – Cyber Security & Digital Solutions (CSDS)
Project: Land Modernization Initiative (LMI)
Location: Halifax, Nova Scotia (Remote with optional onsite work)
Contract Duration: July 20, 2026 – May 31, 2027
Engagement Type: Competitive-Sourced
Work Arrangement: Remote (with occasional collaboration with CSDS stakeholders)
Project Overview
The Government of Nova Scotia is seeking experienced cybersecurity professionals to support the Land Modernization Initiative (LMI), a major transformation program modernizing the Province’s Land Registry services.
The selected consultants will work closely with the CSDS/LMI Technical Manager, Cyber Security and Risk Management (CSRM) team, and business stakeholders to conduct:
- Threat Risk Assessments (TRA)
- Penetration Testing (PT)
- Security risk analysis
- Vulnerability assessments
- Security recommendations and remediation guidance
Requirements
Key Responsibilities
Threat Risk Assessment (TRA)
Scope
- Identify and document security threats, vulnerabilities, and risks across the Nova Scotia Land Registry ecosystem.
- Assess people, processes, technologies, communications, and information assets.
- Evaluate likelihood and business impact of identified risks.
- Recommend mitigation strategies and security controls.
- Perform assessments using the NIST SP 800-53 Revision 5 High Baseline framework.
- Review security certifications and reports including:
- ISO/IEC 27001
- ISO/IEC 42001
- SOC 2 Type II
- PCI DSS
- Conduct workshops and stakeholder interviews.
- Review system architecture, integrations, and data flows.
- Analyze operational effectiveness of security controls.
- Assess compliance across applicable NIST control families.
- Document threat actors, attack vectors, vulnerabilities, and risk treatments.
- Produce executive and technical reports.
- Present findings to senior leadership and project stakeholders.
Scope
Conduct penetration testing against:
- Web Applications
- APIs
- Cloud Environments
- Networks
- Mobile Applications
- Endpoints
- White Box Testing
- Grey Box Testing
- Black Box Testing
- Execute penetration testing using industry best practices.
- Identify, validate, and document vulnerabilities.
- Analyze prior security testing results.
- Conduct remediation verification and retesting.
- Produce executive and technical reports.
- Immediately escalate Critical vulnerabilities using CVSS standards.
- Participate in ongoing security assessments and risk management activities.
Threat Risk Assessment Deliverables
- Draft TRA Report
- Final TRA Report
- Completed TRA Checklist
- Risk Response Form
- Executive Presentation
- Final Penetration Testing Report
- Executive Presentation
- Remediation Validation / Retest Results
Candidates who do not meet the following requirements should not be submitted.
Threat Risk Assessment Requirements
Mandatory Experience
- Minimum 3 years of experience conducting Threat Risk Assessments (TRAs) on digital systems.
- At least one proposed resource must have completed two (2) or more TRAs on digital systems within the last three (3) years.
- Experience conducting TRAs within Canadian public sector environments.
- Experience working with:
- NIST SP 800-53
- ISO/IEC 27001
- ISO/IEC 42001
- SOC 2 Type II
- PCI DSS
- Experience assessing:
- Cloud environments (AWS, Azure)
- Network infrastructure
- Enterprise applications
- Technology platforms
- Ability to work with business, security, and technical teams.
- Criminal Record Check completed within the last six (6) months.
Mandatory Experience
- Minimum 3 years of experience conducting penetration testing.
- At least one proposed resource must have completed two (2) or more penetration tests within the last twelve (12) months.
- Experience conducting penetration testing in Canadian public sector organizations.
- Strong experience testing:
- Web applications
- APIs
- Cloud environments
- Networks
- Enterprise systems
Tier 1 Certification (Required)
At least one proposed resource must hold one of the following:
- OSCP (Offensive Security Certified Professional)
- CREST CRT (Registered Penetration Tester)
At least one proposed resource should hold one of the following:
- CEH Master
- GPEN
- CompTIA PenTest+
- Criminal Record Check completed within the last six (6) months.
The following are considered strong assets:
Security Certifications
- CISSP
- CISM
- CRISC
- OSCP
- CREST CRT
- CEH Master
- GPEN
- CompTIA PenTest+
- Previous experience performing Threat Risk Assessments for Canadian government organizations.
- Previous experience conducting Penetration Testing for Canadian government organizations.
- Direct experience supporting the Government of Nova Scotia.
- Familiarity with Government of Nova Scotia cybersecurity standards, risk frameworks, and governance processes.
Candidates should demonstrate expertise in:
- Threat Risk Assessment Methodologies
- Penetration Testing Methodologies
- NIST SP 800-53 Rev. 5
- ISO/IEC 27001
- ISO/IEC 42001
- SOC 2 Type II
- PCI DSS
- Cyber Risk Management
- Vulnerability Assessment
- Security Architecture Review
- Risk Analysis and Treatment Planning
- Security Control Assessment
- Cloud Security (AWS / Azure)
- Application Security
- Network Security
- Security Reporting and Executive Presentations
- CVSS Scoring Framework
Candidates and vendors will be evaluated based on:
- TRA experience and expertise
- Penetration testing experience
- NIST and security framework knowledge
- Tier 1 and Tier 2 security certifications
- Public sector cybersecurity experience
- Government of Nova Scotia experience
- Client references
- Pricing competitiveness
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search