Chief Information Security Officer & Data Privacy Officer
To oversee the protection of bank and customer data, as well as the protection of infrastructure and assets from malicious actors. Serves as the process owner of all assurance activities related to the availability, integrity, and confidentiality of customer, business partner, employee, and business information in compliance with the bank’s information security policies.
- Audit and Compliance
- Policies Standards and Procedure
- Change Management and Change Catalyst
- Data Protection/Privacy
- Information Security Awareness Training
- Risk Management
- Security Operation Center SOC
- Business Continuity and Disaster Recovery
- Identity and Access Management
- Incident Reporting
- Cyber security
- Draw out and implement a 5-year strategy plan towards the organization’s certification on ISMS – ISO27001
- Draw out a yearly Budgetary proposal towards mitigating Technology Risk in the organization
- Keep up to date with the latest security and technology developments
- Research/evaluate emerging security threats and ways to manage them
Audit and Compliance
- Leading auditing and security compliance initiatives.
- Ensure that an annual Central Bank of Kenya (CBK) Cyber Security Compliance Report is provided
- Drive the testing and evaluation of security products
Policies Standards and Procedure
- Develop and ensure up-to-date Information security policies and standards, are in place and followed through its socialization
- Change Management and Change Catalyst.
- Introduced security Risks Assessment in the product development lifecycle
- Introduced NDA compliance from all the Vendors
- Vendor Minimum Security Baseline Evaluation
- Implement annual KPI checklist and vendor risk management for Vendors is implemented
- Design new security systems or upgrade existing ones
- Develop a Strategy for Data Privacy Compliance and walk through its implementation.
- Data Protection Awareness Champion.
- Conducting Data Mapping and Data Protection Impact Assessment.
Information Security Awareness Training.
- Develop an Information Security Awareness program, prepared curriculum for different set of users and executed the program
- Maintain an information security risk register for the business
- Ensuring security on all platform infrastructure and external integrations
Security Operation Center SOC
- Implement Information Security Incident Management program
- Operationalize a SOC and implement a SIEM
- Identify potential weaknesses and implement measures, such as firewalls and encryption
- Implement alert closure programs in Netguardians (Fraud) solution.
- Implement End Point Security including data leak prevention, mobile device management
- Monitor and respond to phishing emails and pharming activity
- Analysis and Monitoring of entry points, activity logs, internal environments, and databases.
- Vulnerability Assessment and Penetration Testing schedule and timetable
Business Continuity and Disaster Recovery
- Update and implement a business continuity plan for the business.
- Conduct Business Impact Assessment and define RPO and RTOs for the business.
- Executed a tabletop and actual disaster recovery plan tests for people, systems, processes.
- Conducted drills and work on areas of improvement.
Identity and Access Management
- Onboarding and off-boarding of Assets
- User provisioning/ de-provisioning and Privileged Access management.
- Developed and role-based access control matrix
- Update and implement an incident reporting mechanism and plan for the business
- Incident reporting to CBK as required
- Investigate security alerts and provide incident response.
- Use advanced analytic tools to determine emerging threat patterns and vulnerabilities
- Engage in ethical hacking, for example, simulating security breaches
- Generate reports for both technical and non-technical staff and stakeholders.
- Data Security and Fraud Prevention.
- Subject matter expert on Information Security, cyber security, and data Privacy
- Facilitate the following training:
- User awareness training for all staff
- Professional cyber-related training for technical staff
- Cybersecurity training and updates for Board Members
- Cybersecurity awareness for customers, suppliers, partners, outsourced service providers, and other third parties.
- Submit the required cybersecurity regulatory returns to the Central Bank of Kenya, as per the prescribed timelines.
- Ensure timely and comprehensive reports to the CEO, Senior Management, Board Audit Risk Management Committee, and the Board. These reports should be submitted at least quarterly.
- Design and periodically review the Bank’s cybersecurity program
- Support the submission of the following to the Board for approval, at least annually:
- Cybersecurity strategy/risk management plan.
- Cyber security policy and framework, or revisions thereof
- Cybersecurity risk assessments and risk appetite
- Cybersecurity budget
- Design cybersecurity controls with the consideration of users at all levels of the organization and advises the Business. Follow up with the responsible functions for implementation.
- Ensure that a business develops a cyber asset register that classifies its cybersecurity assets. Critical assets should be identified.
- Identify and facilitate compliance to data protection/ data privacy requirements.
- Manage the Security Operations Centre of the Bank to perform operational information security monitoring, testing, and threat intelligence. Where this function is outsourced, conduct oversight over and provide directions to any third-party service provider to whom this is outsourced.
- As the cybersecurity coordinator, perform the following roles:
- Regularly review the Bank’s incident response plan. This should include a data breach response plan.
- Regularly review the composition of the CSIRT
- Train CSIRT members on their roles and responsibilities
- Conduct regular tests and report test results to senior management, Board Risk Management Committee, and Board Audit Committee.
- Liaise with the Business Continuity Co-ordinator and the ICT function to ensure that adequate disaster recovery measures are in place i.e. functioning Disaster recovery site and adequate backups of critical IT systems and data in line with the required Recovery Time and Recovery Point Objectives.
- A minimum of a Bachelor’s degree in Information Technology, Computer science, Cybersecurity, business, or related fields.
- A Master’s degree in IT security will be an added advantage.
- 3- 5 years Banking Experience
- Knowledgeable in IT operations
- Proficient in IS Security
- Knowledge of Data Protection laws & General Data Protection Regulations (GDPR) is an added advantage.
SKILLS & COMPETENCIES
- Excellent interpersonal & Communication Skills.
- Working in Teams.
- Excellent analytical skills.
- Organization skills.
- Problem-solving skills.
- Excellent knowledge of security tools.
- Report writing skills.
- Professional qualification such as Certified Information Systems Security Professional CISA, Certified Information Systems Security Professional CISM or Certified Information Systems Security Professional (CISSP).
- Member of ISACA.