Reports To: AGM & Head of Risk & Compliance
- Continuously test disaster recovery and Business Continuity Plans (BCP) arrangements to ensure that the bank can continue to function and meet its regulatory obligations in the event of an unforeseen attack through cyber-crime.
- Overseeing and implementing the bank’s Cyber security program and enforcing the policy.
- Ensuring that the bank maintains a current enterprise-wide knowledge base of its users, devices, applications and their relationships, including but not limited to:
- software and hardware asset inventory
- network maps (including boundaries, traffic and data flow)
- Network utilization and performance data
- Ensuring that information systems comply with the overall risk appetite and ICT risk management policies of the bank.
- Design cyber security controls with the consideration of users at all levels of the organization, including internal (i.e. management and staff) and external users (i.e. contractors/consultants, business partners and service providers).
- Conducting regular and comprehensive cyber security risk assessments that consider people (i.e. employees, customers, outsourcing and other external parties), processes, data, and technology across all its business lines and locations.
- Monitoring current and emerging cyber security risks.
- Maintain comprehensive cyber security risk registers. Risk identification should be forward looking and include the security incident handling.
- Preparing Quarterly reports and required ad-hoc reports to the Board Enterprise Risk Committee on the following:
- Assessment of the confidentiality, integrity and availability of the information systems in the banks.
- Detailed exceptions to the approved Cyber security policies and procedures.
- Cyber security risk identification.
- Assessment of the effectiveness of the approved Cyber security program.
- All material Cyber security events that affected the bank during the period.
- Ensure timely update of the incident response mechanism and Business Continuity Plan (BCP) based on the latest cyber threat intelligence gathered.
- Incorporate the utilization of scenario analysis to consider a material cyber-attack, mitigating actions, and identify potential control gaps.
- Ensure frequent data backups of critical ICT systems (e.g. real time back up of changes made to critical data) are carried out to a separate storage location.
- Ensure the roles and responsibilities of managing cyber risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff.
- Organizing professional cyber related trainings to improve technical proficiency of staff.
- As Data Protection Officer, amongst other responsibilities as covered in the designation memo, establish the Data Protection Framework and Implementation Plan, and develop applicable policies and procedures; and ensure compliance with Gulf African Bank’s data Protection Policy.
Qualifications and experience
- Bachelor’s degree in Information Technology.
- Certified Information Systems Security Professional
- Certified Information Security Manager certification would be an added advantage
- Certified Information Systems Auditor certification would be an added advantage.
- Above 7 years of proven IT security experience or can demonstrate IT professionalism in a highly computerized environment. Understanding of risk and systems security control processes.
- Good understanding of Cyber Security, Information Security risks and control objectives.
Competencies Required for this Role
- Digital leadership skills – capable of empowering and leading an IT team to meet business and IT security goals
- Solid people management skills – providing direction, monitoring performance, motivating staff and building a positive working environment
- Ability to adapt to a fast-moving IT landscape and keep pace with latest thinking and new security technologies
- A passion for technology and security safeguarding with a desire to deliver
- Thrives on change, showing an impressive ability to drive the IT security strategy forward
- Analytical mind capable of managing numerous information sources and providing data analysis reports to senior management
- Strong customer focus – able to meet the demands of internal and external customers
- Excellent communication skills – providing verbal and written communication that is outstanding to both direct reports and senior management as well as other stakeholders
- Flexible and adaptable – capable of changing direction where required and showing flexibility to meet new demands
- Forms business partnerships that help drive the IT security strategy forward
- Can make decisions that are well informed and timely
- Creative thinking – able to look at alternatives and consider new ways of thinking to problem solve
Multi-tasking – can manage several concurrent projects and prioritize demands