INFORMATION SECURITY FUNCTION-
1. REQUIREMENTSAND QUALIFICATIONS
Minimum of seven to 10 years of experience in acombination of risk management, information security and IT (atleast five must be in a senior leadership role).
Information security experience ina Banking Sector will be an added advantage.
Strong knowledge and understanding of relevantlegal and regulatory requirements, such as : NESA, ISO 27001 / 27002,NIST, CoBIT.
Up-to-dateknowledge of methodologies and trends in both business andIT.
Project managementskills : financial / budget management, scheduling and resourcemanagement.
Experiencein implementing Information Security projects such as : DLP, SEIM,PAM, VAPT, etc.
Soundknowledge of business management and a working knowledge ofinformation security risk management and cybersecuritytechnologies.
Proventrack record and experience in developing information securitypolicies and procedures, as well as successfully executing programsthat meet the objectives of excellence in a dynamic businessenvironment
Ability tolead, coach and motivate the information security team to achievetactical and strategic goals.
Degree in Information Security / Informationtechnology-related field, or equivalent work- or education-relatedexperience
Professionalsecurity management certification is desirable, such as CertifiedInformation Systems Security Professional (CISSP), CertifiedInformation Security Manager (CISM), Certified Information SystemsAuditor (CISA) or other similar credentials.
2. SECONDMENTRESOURCE RESPONSIBILITIES
a. ESTABLISHGOVERNANCE AND BUILD KNOWLEDGE
Revise / create / update the information security governancestructure through the implementation of a hierarchical governanceprogram, including revising the information security roles andresponsibilities in the IT IS steering committee.
Provide regular reporting on thecurrent status of the information security program to risk teams,IT Steering committee / MANCOM and the board of directors as partof a strategic enterprise risk management program, thus supportingbusiness outcomes.
Workwith IT and Admin & Procurement Department to ensure thatall information security requirements are included in contracts byliaising with vendor management and procurementorganizations.
Createand manage a targeted information security awareness trainingprogram for all
employees, contractors and approved system users, and establishmetrics to measure the effectiveness of this security trainingprogram for the different audiences.
Understand and interact with related disciplines throughcommittees to ensure the consistent application of policies andstandards across all technology projects, systems and services,including privacy, risk management, compliance and businesscontinuity management.
Provide clear risk mitigating directives for projectswith components in IT, including the mandatory application ofcontrols.
Lead theinformation security champion program to mobilize employees in alllocations.
b. SETTHE STRATEGY
Revise / Create / Update information security vision andstrategy and ensure its alignment with organizational prioritiesand enables and facilitates the organization'
s businessobjectives, and ensure senior stakeholder buy-in andmandate.
Develop,implement and monitor a strategic, comprehensive informationsecurity program to ensure appropriate levels of confidentiality,integrity, availability, safety, privacy and recovery ofinformation assets owned, controlled or / and processed by theorganization.
Assistwith the identification of non-IT managed IT services in use("citizen IT") and facilitate a corporate ITonboarding program to bring these services into the scope of the ITfunction, and apply standard controls and rigor to these services;
where this is not possible, ensure that risk is reduced to theappropriate levels and ownership of this information security riskis clear.
Workeffectively with business units to facilitate information securityrisk assessment and risk management processes and empower them toown and accept the level of risk they deem appropriate for theirspecific risk appetite.
c. DEVELOP THEFRAMEWORKS
Create / Revise and enhance information security managementframework based on the following : NESA, ISO 27001 / 27002, NIST,CoBIT.
Create andmanage a unified and flexible control framework to integrate andnormalize the wide variety and ever-changing requirements resultingfrom global laws, standards and regulations.
Develop and maintain a document framework ofcontinuously up-to-date information security policies, standardsand guidelines.
Oversee the approval and publication of theseinformation security policies and practices.
Create a framework for roles andresponsibilities with regard to information ownership,classification, accountability and protection of informationassets.
Facilitate ametrics and reporting framework to measure the efficiency andeffectiveness of the program, facilitate appropriate resourceallocation, and increase the maturity of the information security,and review it with stakeholders at the executive and boardlevels.
d. OPERATE THEINFORMATION SECURITY FUNCTION
Create a risk-based process for the assessment andmitigation of any information security risk in ecosystem consistingof supply chain partners, vendors, consumers and any other thirdparties.
Ensure thevulnerability assessment and penetration testing (VAPT) isconducted regularly with the help of consultants and the findingsare appropriately closed within the agreed time.
Define and facilitate theimplementation of security solutions such as privilege accessmanagement (PAM), Security Information and Event Management (SIEM),Data loss prevention (DLP) etc.
Work with the compliance staff to ensure that allinformation owned, collected or controlled is processed and storedin accordance with applicable laws and other global regulatoryrequirements, such as data privacy.
Collaborate and liaise with Legal &Compliance to ensure that data privacy requirements are includedwhere applicable.
Define and facilitate the processes for informationsecurity risk and for legal and regulatory assessments, includingthe reporting and oversight of treatment efforts to addressnegative findings.
Ensure that security is embedded in the project deliveryprocess by providing the appropriate information security policies,practices and guidelines.
Oversee technology dependencies outside of directorganizational control. This includes reviewing contracts and thecreation of alternatives for managing risk.
Manage and contain information securityincidents and events to protect IT assets, intellectual property,regulated data and the reputation.
Monitor the external threat environment foremerging threats and advise relevant stakeholders on theappropriate courses of action.
Revise and oversee effective IT disaster recoverypolicies and standards to align with the Business ContinuityManagement (BCM) program goals, with the realization thatcomponents supporting primary business processes may be outsideperimeter.
Coordinatethe development of implementation of incident response plans andprocedures to ensure that business-critical services are recoveredin the event of a security event;
provide direction, support andin-house consulting in these areas.
Facilitate and support the development ofasset inventories, including information assets in all channels andmediums within ecosystem.
Train the inhouse team to take up the entire informationsecurity function and also provide training and guidance for thesame.
Manage allinternal and external audit findings and ensure timelyclosure.
Mentor andcoach the Information security staff & and IT Securitystaff in to ensure appropriate transfer of knowledge and upgradingof their knowledge skills to run their functions withinframework.
Coordinate,measure and report on the technical aspects of securitymanagement.
Manageoutsourced vendors that provide information security functions forcompliance with contracted service-level agreements.
Manage and coordinate operationalcomponents of incident management, including detection, responseand reporting.
Maintaina knowledgebase comprising a technical reference library, securityadvisories and alerts, information on security trends andpractices, and laws and regulations.
Manage the day-to-day activities of threat andvulnerability management, identify risk tolerances, recommendtreatment plans and communicate information about residualrisk.
Manage securityprojects and provide expert guidance on security matters for otherIT projects.
Assist andguide the disaster recovery planning team in the selection ofrecovery strategies and the development, testing and maintenance ofdisaster recovery plans.
Update BCM Documentation and Review DRTests documentation.
Ensure / Review audit trails, system logs and othermonitoring data sources are reviewed periodically and are incompliance with policies and audit requirements.
Design, coordinate and overseesecurity testing procedures to verify the security of systems,networks and applications, and manage the remediation of identifiedrisks.