Threat Risk Assessment (TRA) Specialist / Penetration Testing (PT) Specialist – Senior Client: Government of Nova Scotia – Cyber Security & Digital Solutions (CSDS) Project: Land Modernization Initiative (LMI) Location: Halifax, Nova Scotia (Remote with optional onsite work) Contract Duration: July 20, 2026 – May 31, 2027 Engagement Type: Competitive-Sourced Work Arrangement: Remote (with occasional collaboration with CSDS stakeholders) Project Overview The Government of Nova Scotia is seeking experienced cybersecurity professionals to support the Land Modernization Initiative (LMI), a major transformation program modernizing the Province’s Land Registry services. The selected consultants will work closely with the CSDS/LMI Technical Manager, Cyber Security and Risk Management (CSRM) team, and business stakeholders to conduct: Threat Risk Assessments (TRA) Penetration Testing (PT) Security risk analysis Vulnerability assessments Security recommendations and remediation guidance The initial engagement focuses on the MVS 1.0 release, with potential future work supporting releases 1.1, 1.2, and 1.3.

Requirements

Key Responsibilities Threat Risk Assessment (TRA) Scope Identify and document security threats, vulnerabilities, and risks across the Nova Scotia Land Registry ecosystem. Assess people, processes, technologies, communications, and information assets. Evaluate likelihood and business impact of identified risks. Recommend mitigation strategies and security controls. Perform assessments using the NIST SP 800-53 Revision 5 High Baseline framework. Review security certifications and reports including: ISO/IEC 27001 ISO/IEC 42001 SOC 2 Type II PCI DSS Activities Conduct workshops and stakeholder interviews. Review system architecture, integrations, and data flows. Analyze operational effectiveness of security controls. Assess compliance across applicable NIST control families. Document threat actors, attack vectors, vulnerabilities, and risk treatments. Produce executive and technical reports. Present findings to senior leadership and project stakeholders. Penetration Testing (PT) Scope Conduct penetration testing against: Web Applications APIs Cloud Environments Networks Mobile Applications Endpoints Testing Methodologies White Box Testing Grey Box Testing Black Box Testing Activities Execute penetration testing using industry best practices. Identify, validate, and document vulnerabilities. Analyze prior security testing results. Conduct remediation verification and retesting. Produce executive and technical reports. Immediately escalate Critical vulnerabilities using CVSS standards. Participate in ongoing security assessments and risk management activities. Required Deliverables Threat Risk Assessment Deliverables Draft TRA Report Final TRA Report Completed TRA Checklist Risk Response Form Executive Presentation Penetration Testing Deliverables Final Penetration Testing Report Executive Presentation Remediation Validation / Retest Results Mandatory Qualifications (Required) Candidates who do not meet the following requirements should not be submitted. Threat Risk Assessment Requirements Mandatory Experience Minimum 3 years of experience conducting Threat Risk Assessments (TRAs) on digital systems. At least one proposed resource must have completed two (2) or more TRAs on digital systems within the last three (3) years. Experience conducting TRAs within Canadian public sector environments. Experience working with: NIST SP 800-53 ISO/IEC 27001 ISO/IEC 42001 SOC 2 Type II PCI DSS Experience assessing: Cloud environments (AWS, Azure) Network infrastructure Enterprise applications Technology platforms Ability to work with business, security, and technical teams. Mandatory Documentation Criminal Record Check completed within the last six (6) months. Penetration Testing Requirements Mandatory Experience Minimum 3 years of experience conducting penetration testing. At least one proposed resource must have completed two (2) or more penetration tests within the last twelve (12) months. Experience conducting penetration testing in Canadian public sector organizations. Strong experience testing: Web applications APIs Cloud environments Networks Enterprise systems Mandatory Certifications Tier 1 Certification (Required) At least one proposed resource must hold one of the following: OSCP (Offensive Security Certified Professional) CREST CRT (Registered Penetration Tester) Tier 2 Certification (Required) At least one proposed resource should hold one of the following: CEH Master GPEN CompTIA PenTest+ Mandatory Documentation Criminal Record Check completed within the last six (6) months. Preferred Qualifications The following are considered strong assets: Security Certifications CISSP CISM CRISC OSCP CREST CRT CEH Master GPEN CompTIA PenTest+ Government Experience Previous experience performing Threat Risk Assessments for Canadian government organizations. Previous experience conducting Penetration Testing for Canadian government organizations. Direct experience supporting the Government of Nova Scotia. Familiarity with Government of Nova Scotia cybersecurity standards, risk frameworks, and governance processes. Technical Skills Candidates should demonstrate expertise in: Threat Risk Assessment Methodologies Penetration Testing Methodologies NIST SP 800-53 Rev. 5 ISO/IEC 27001 ISO/IEC 42001 SOC 2 Type II PCI DSS Cyber Risk Management Vulnerability Assessment Security Architecture Review Risk Analysis and Treatment Planning Security Control Assessment Cloud Security (AWS / Azure) Application Security Network Security Security Reporting and Executive Presentations CVSS Scoring Framework Evaluation Highlights Candidates and vendors will be evaluated based on: TRA experience and expertise Penetration testing experience NIST and security framework knowledge Tier 1 and Tier 2 security certifications Public sector cybersecurity experience Government of Nova Scotia experience Client references Pricing competitiveness This opportunity is ideal for senior cybersecurity consultants with proven expertise in both Threat Risk Assessments and Penetration Testing within government and highly regulated environments. The successful team will play a critical role in securing one of Nova Scotia's most significant digital modernization initiatives.