Information Security & Data Privacy Officer

JOB PURPOSE

The role is responsible for overseeing the security and Data Protection framework to ensure controls are in place in the bank, direct the cyber security and Data Privacy strategy, identify threat scenarios, quantify risks and work with stakeholders to ensure effective mitigation controls are in place and ensure compliance with all relevant regulatory requirements.

KEY RESPONSIBILITIES

• Governance and Compliance
• Cyber Security and Data Impact Assessment 
• Incidences Management
• Reporting

MAIN ACTIVITIES

Governance and Compliance:

• Establishing the Data Protection Regulation Governance, regulatory framework and implementation plan which shall include development of the various required statements and policies.
• Driving implementation of essential elements of the Data Protection Regulation, such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing, and notification and communication of data breaches.
• Regularly training of all internal stakeholders involved in data collection/processing, updating the training as well as conducting specific trainings for specific processing requirements.
• Maintaining data protection policies and procedures.

Cyber Security and Data Impact  Assessment:

• Ensuring Record of Processing Activities (ROPA) are undertaken in line with data privacy laws.
• Creating an Information Base: Guide and support on the creation of an information base on Data Protection and any other elements which may be helpful to the controllers and the staff of the organization.
• Data Protection Regulations: Developing together with the business and support functions, carrying out impact assessments, data protection policies, guidelines, and processes to ensure that compliance is consistent and in line with the Data Protection Regulation.
• Support the business in preparation of digital and other privacy statements as may be required for the institutions and supporting functions and ensure processes are put in place for the institutions/support functions to collect consents from the relevant data subjects and partners, have relevant privacy statements provided on all company forms and/or literature, websites and other communication or data collection mediums.
• Ensure the Bank maintains a current enterprise -wide knowledge base of its users, devices, application and their relationships, including but now limited to:

o Software and hardware asset inventory

o Network maps (including boundaries, traffic and data flow); and

o Network utilization and performance data

• Keep up to date with the latest security and technology developments, research/ evaluate emerging security threats and ways to manage them.
• Networking with other Data Protection Officers to share information and keep up with information and emerging trends around data protection as well as following up on change in laws and make recommendations on changes required.

Business Continuity and Disaster Recovery Coordination:

• • Ensure the roles and responsibilities of managing cyber and Data Privacy risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff.
  • Creating and maintaining a register on comprehensive records of all data processing activities conducted by the company, including the purposes of all processing activities, which must be made public on request.
  • Disaster recovery coordination. Maintain the IT Disaster Recovery Plan including annual reviews. 
  • Oversee the regular testing of the plan and update for major changes in hardware, applications, business and regulatory requirements accordingly. 
  • Coordinate testing and reporting of data backup restorations.
  • Ensure adequate backups of critical IT systems and data in line with predetermined recovery objectives (e.g. real time back up of changes made to critical data) are carried out to a site that is unlikely to be affected by a disaster event at the main processing site.

• Put in place BCP and disaster recovery test plans to ensure that the Bank can continue to function and meet its regulatory obligations in the event of an unforeseen circumstances.

Monitoring and Review of Systems:

• Monitoring performance and adherence to the requirements of the regulation while providing advice on the data protection impact assessment.
• Conducting audits to ensure compliance, accountability and address potential issues proactively.
• Monitor security events received from the Bank’s security tools on applicable perimeter devices, systems, databases and servers for potential attacks, suspicious or anomalous activities.
• Assist in identifying new solutions to improve the ISO monitoring role in threat identification, detections and response capabilities.
• Strengthen the monitoring of system transactions integrity and events by review of the System audit logs and Escalation of noted anomalies.
• Analyze and document business process objectives and design to identify required information systems controls.

Incidences Management:

• Serving as the Data Protection Officer and point of contact between the Companies, the Data Commissioner and other Regulatory Authorities and co-operating with them during inspections by answering any complaints or queries raised with regards to Data Protection.
• Handling queries or complaints internally or externally regarding data confidentiality and use.
• Escalate and report on incidents, potential gaps or risks as observed during monitoring activities.
• Document the security breaches and measure the damage caused.

Reporting:

• Reporting to the Supervisor:
• Providing updates on the Data Protection compliance programme to the Board and Risk Management Committee
• Providing status updates to the Head of Risk and Senior Management on a regular basis (at least monthly) and drawing immediate attention to any failure to comply with the applicable data protection requirement.
• Share a monthly report on privilege access management and bank wide compliance to the user access rights.
• Quarterly reporting to the board on the exceptions noted in user access management likely to impact the Confidentiality, Integrity and Availability of information.
• Any other duties as deemed necessary by the supervisor.

Academic Background

• Bachelor’s degree in Information Technology, Computer science, Cybersecurity, business, or related fields
• Strong knowledge of Information Security related frameworks/ Regulations such as, ISO 27001, NIST 800-53, NIST Cyber Security Framework, Cobit, FFIEC CAT, GLBA, SOX, NYDFS 500, etc.

Work Experience

• At least 5 years of Banking or Information Technology Experience
• Knowledgeable in IT operations
• Proficient in IS Security
• Knowledge on Data Protection laws & General Data Protection Regulations (GDPR) is an added advantage

Skill and Competencies

• Excellent interpersonal & Communication Skills
• Working in Teams
• Excellent analytical skills
• Problem solving skills
• Excellent knowledge of security tools
• Report writing skills
• Ability to operate within 24HR shifts as and when required.

Professional Certification 

Professional qualification such as Certified Information Systems Security Professional CISA, Certified Ethical Hacker (CEH), Certified Information Systems Security Professional CISM or Certified Information Systems Security Professional (CISSP), Certified Data Privacy Solutions Engineer (CDPSE) and other certification that is relevant.