Specialist Information Security


Offre publiée le 2024-03-25


At CN, we work together to move our company and North America forward. Be part of our Information & Technology (I&T) team, a critical piece of the engine that keeps us in motion.

From enterprise architecture to operational technology, our teams use the agile methodology to automate and digitize our railroad ensuring our operations run optimally and safely and our employees can focus on value-added tasks.

You will be able to develop your skills and career in our close-knit, safety-focused culture working together as ONE TEAM.

The careers we offer are meaningful because the work we do matters. Join us! Job Summary

CN is looking for an Information Security GRC (Governance, Risk & Compliance) specialist to help sustain and grow our Information Security Compliance responsibilities .

Reporting to the Senior Manager GRC , the specialist will primarily be responsible for supporting Sarbanes-Oxley (SOX) regulatory compliance and other compliance management activities relating to cybersecurity and the Information Security program.

The specialist will act as Subject Matter Expert (SME) for information security subjects including, but not limited to : SOX IT General Controls compliance and understanding information security regulatory frameworks such as Payment Card Industry (PCI), Transportation Security Association (TSA), and others;

compiling and reporting associated metrics and compliance evidence; project support and GRC processes consulting; owning, managing, reporting, and auditing compliance against information security controls.

The role contributes significantly to the Governance, Risk and Compliance (GRC) initiative assuring CN's adherence to the Sarbanes Oxley (SOX) Section 404 regulatory framework.

The position also provides project support, GRC document preparation, and auditing compliance against other information security regulations and controls.

Main Responsibilities

  • Assess and challenge the effectiveness of information security requirements and controls by working collaboratively with system owners and other stakeholders.
  • Support the assessment and documentation of all Information and Technology General Controls (ITGC) related to the SOX program as part of ongoing compliance efforts
  • Serve as Control Owner or Control Performer for several Information and Technology (I&T) controls
  • Provide primary leadership on maintaining, supporting, and operating the CN Information Security GRC framework, including ensuring regulatory compliance within the I&T business unit, management of security related policies, and constant evolution to adapt to business requirements.
  • Communicate, oversee, and support security recommendations to meet business objectives in a proactive and pragmatic manner, ensuring an appropriate level of engagement with clients to ensure success.
  • Ensure that adequate and effective information security controls are documented and followed.
  • Collaborate withGRC Risk SMEs to ensure that any identified risks are appropriately logged and managed.
  • Report on information security compliance, and their relationship with business impacts.
  • Provide guidance during the assessment and / or review of new IT solution and / or new and existing technology to maintain compliance with regulatory (g.

Sarbanes Oxley, PCI, SWIFT, etc.) and security requirements.

Interact with other cybersecurity teams and various I&T entities as necessary to understand, apply, and enforce security requirements.



  • 5+ years of experience in an information security / cybersecurity / compliance / IT Audit role
  • Practical experience tracking and reporting KPIs / KRIs
  • Experience creating and updating information security policies, standards, procedures, and other documentation
  • Experience with GRC tools, ServiceNow, and SharePoint
  • Previous experience in ensuring compliance with SOX IT General Controls or other IT controls is an asset
  • Experience with GRC tools, ServiceNow, and / or Power BI is a plus

Education / Certification / Designation

Possess a Bachelor's Degree in an IT discipline or a related field -or- equivalent work experience.

Professional Designation in Information Security compliance or Security such as Certified Information Systems Auditor (CISA), Certified in the Governance of Enterprise IT (CGEIT), and / or other related designations.

Technical Skills / Knowledge

  • Broad knowledge of information security processes and functions including risk management, vulnerability management, access management, and secure development
  • Strongknowledge and practical experience applying standards, frameworks, regulations, and legislation governing information security and privacy, e.


  • Knowledge and practical experience developing, managing, and updating information security policies, standards, procedures, and other documentation
  • Knowledge and general understanding of IT and OT security controls and control models.

General Skills and Competencies

  • Integrity with high ethical standards
  • Effective communication and interaction with others
  • Teamwork & collaboration in order to achieve common goals
  • Flexible in order to effectively manage multiple assignments and adapt to changing priorities About CN CN is a world-class transportation leader and trade-enabler.

Essential to the economy, to the customers, and to the communities it serves, CN safely transports more than 300 million tons of natural resources, manufactured products, and finished goods throughout North America every year.

As the only railroad connecting Canada's Eastern and Western coasts with the Southern tip of the U.S. through a 19,500 mile rail network, CN and its affiliates have been contributing to community prosperity and sustainable trade since 1919.

CN is committed to programs supporting social responsibility and environmental stewardship. At CN, we work as ONE TEAM, focused on safety, sustainability and our customers, providing operational and supply chain excellence to deliver results.

For internal candidates, note that the grade level of the position will depend on the employee's experience.

At CN, we are dedicated to building North America's safest, most inclusive and sustainable railroad, which includes reflecting the communities in which we operate.

Research shows that candidates from underrepresented groups often don't apply unless they feel they fit the job posting at 100%.

Even if you don't see yourself in every job requirement listed in a posting, we still encourage you to apply. If you require an accommodation for the recruitment process (including alternate formats of materials, accessible meeting rooms or other accommodations), please reach out to our team at [email protected].

As an equal employment opportunity employer, all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, protected veteran status, and other protected status as required by applicable law.

We thank all applicants for their interest, however, only candidates under consideration will be contacted. Please monitor your email on a regular basis, as communication is primarily made through email.

1 hour ago