Contract CyberSecurity GRC Analyst

We’re a Canadian-based integrated energy company headquartered in Calgary. We’re committed to maximizing value by developing our assets in a safe, responsible and cost-efficient manner, integrating sustainability considerations into our business plans.

We operate in Canada, the United States and the Asia Pacific region. Our operations include oil sands projects in northern Alberta, thermal and conventional crude oil and natural gas projects across Western Canada, crude oil production offshore Newfoundland and Labrador and natural gas and liquids production offshore China and Indonesia. Cenovus’s downstream operations include upgrading, refining and marketing operations in Canada and the United States.

Our shares trade under the symbol CVE and are listed on the Toronto and New York stock exchanges.

Cenovus is seeking a Cybersecurity Governance, Risk, and Compliance (GRC) Analyst to support core administrative security and system hygiene activities within the System Controls and Monitoring Team. This role is primarily focused on the execution and maintenance of foundational cyber controls, including recurring access reviews, system and account monitoring, control evidence collection, and validation of compliance with established standards and policies.

The position involves routine, detail-oriented, and audit-like work essential to maintaining a secure and well-governed IT environment. Success in this role depends on consistency, accuracy, and the ability to follow defined procedures across large enterprise systems. The work is structured, process-driven, and operational in nature rather than investigative or threat-hunting focused.

The successful candidate will work closely with IT service owners, identity and access management teams, and compliance stakeholders to ensure controls are executed as designed and deficiencies are identified, tracked, and remediated. This role is well suited to individuals who take satisfaction in keeping systems clean, compliant, and predictable, and who are comfortable performing repetitive control activities that underpin enterprise cybersecurity assurance.

Key Responsibilities:

- Execute recurring access reviews (including SOX, privileged, and standard user access) in accordance with documented procedures, ensuring continued alignment with approved access models, security policies, and regulatory requirements.

- Perform ongoing monitoring and maintenance of directory and domain hygiene, including user account lifecycle activities, group membership validation, and identification of stale, orphaned, or non-compliant accounts.

- Administer established cybersecurity governance and compliance processes, ensuring controls are performed consistently, evidence is complete, and deviations from policy are identified and escalated.

- Conduct routine control-based risk assessments focused on identifying control gaps, misconfigurations, or process breakdowns rather than theoretical threat modeling.

- Monitor, validate, and evidence the operation of technical and administrative security controls, ensuring controls are functioning as designed and producing auditable results.

- Work with IT service owners and business stakeholders to resolve access discrepancies, hygiene issues, and control deficiencies, particularly those arising from operational processes or third-party dependencies.

- Maintain detailed documentation, logs, and reports for governance, risk, and compliance activities to support audits, management review, and regulatory scrutiny.

- Participate in internal and external audits by preparing evidence, responding to auditor inquiries, and supporting remediation of identified findings.

- Working knowledge of identity and access management, account monitoring, and domain hygiene within large enterprise environments.

- Practical familiarity with control frameworks and compliance standards (e.g., NIST, ISO 27001, COBIT, SOX), with emphasis on control execution rather than framework design.

- Solid hands-on understanding of enterprise IT environments, including directories, infrastructure platforms, and business applications.

- Exposure to cloud platforms (e.g., Azure, AWS) from a governance, access control, or compliance perspective.

- Bachelor’s degree in Information Technology, Cybersecurity, or a related discipline, or equivalent practical experience in IT controls, audit, or compliance functions.

- Strong process discipline, with the ability to follow documented procedures, maintain accurate records, and produce repeatable, auditable outcomes.

- Clear and professional written and verbal communication skills, particularly for documenting findings, explaining access issues, and supporting audits.

Preferred Skills:

- Prior experience in oil and gas or other highly regulated industries, with exposure to formal governance, audit, or compliance expectations.

- Practical familiarity with Active Directory governance, including its role in access control, segregation of duties, and enterprise IT control environments.

- Exposure to IT audit, control testing, or risk management activities, such as evidence preparation, issue tracking, and remediation support.