Applications and Infrastructure Security Officer at Co-operative Bank of Kenya

Are you competent, highly motivated and passionate about Information and Communication Technology? Are you knowledgeable and well-experienced in information security or security engineering? Do you enjoy carrying out analytical roles in complex business environments? We are looking for a competent candidate to fill the position of Applications and infrastructure Security Officer within The Co-operative Bank of Kenya, “The Kingdom Bank.”

The ideal candidate for this position must have a passion for excellence coupled with the ability to embrace a problem-solving approach when faced with new, difficult or challenging situations and exhibit sound judgment.

The role holder will report to the Head of ICT Security to enforce security policies to protect the organization’s computer infrastructure, networks and data. The role holder will assess the organization’s infrastructure and data to identify vulnerabilities caused by weaknesses or flaws in software and hardware that could expose the infrastructure to a security breach. They also evaluate the effectiveness of existing security measures, such as firewalls, password policies and intrusion-detection systems. They make recommendations to improve security based on their assessments and knowledge of current and emerging threats.

The Role

Specifically, the successful jobholder will be required to:

• Perform security reviews across applications (Web, thick, thin, and mobile), systems, APIs, infrastructure devices, servers and databases to ensure that a risk-based and threat-aware approach to systems and infrastructure provisioning and management is adopted.
• Co-ordinate and conduct red team tests with the SOC and ICT Risk teams to assure on IOC (Indicators of Compromise) detection capabilities. Conduct vulnerability assessments and identify prioritized weaknesses that are exploitable for closure.
• Enforce vulnerability and patch management across all enterprise systems. Ensure that all systems are regularly updated and report on discrepancies based on criticality.
• Support the wider ICT project portfolio by acting as a subject matter expert, embedding cybersecurity from project initiation, through go-live and into post-deployment.
• Enforce policies, secure configurations and rule sets that will enforce protection of data and limit user access as appropriate. 
• Develop and maintain a prioritized asset and applications register of all ICT assets in the bank.
• Ensure firewalls, switches and other infrastructure are up to date and are running optimized security configurations and policies.
• Ensure servers are hardened and PCs are deployed with minimum security baselines configured. Develop baselines for installations of PCs, servers and databases.
• Develop an annual systems security assessment plan, prioritizing systems based on criticality.
• Act as point person for all external security tests conducted by external auditors and be familiar with current attack methodologies and cyber defenses.
• Make technical recommendations on areas of improvement of the bank's configurations at operating system, database and infrastructure levels.
• Leverage emerging threat intelligence (IOCs, updated rules, etc.) to identify affected systems and the scope of any threat or cyberattack. Review and collects asset data (configs, running processes, etc.) on these systems for further investigation. Determine and direct remediation and recovery efforts.
• Conduct deep dive forensic investigation and simulation of possible attack / cyber-fraud methodology.
• Ensure that all cybersecurity risk management requirements within different sandboxes are addressed and where necessary escalated through the available defined channels.
• Continuously run initiatives that create and enforce security awareness across the bank.
• Generate reports on overall network security status from a controls perspective and robustness of existing configurations in minimizing likelihood of successful cyberattack(s). Compile monthly system and network security status based on compromise threats and assessments conducted.
• Interact with ICT and ensure they understand concepts relating t

Skills, Competencies and Experience

The successful candidate will be required to have the following skills and competencies:

• An IT-related bachelor’s degree or business related degree with relevant IT Security professional qualifications, i.e. Cisco Certified Network Associate (CCNA)/ Certified Information Systems Auditor (CISA) certification/ Certified Information Systems Security Professional (CISSP), CCIE (Security), CEH, CHP, or other relevant security certifications.
• Good understanding and knowledge of security assessment, vulnerability management, penetration testing methodologies and toolsets.
• Working knowledge and experience in penetration testing and vulnerability assessments.
• Knowledge of common cybersecurity threats and sources of cybersecurity information.
• Communication and reporting skills.
• Good software development and familiar with database solutions.
• Good understanding of ICT infrastructure setup, networks and infrastructure components.
• At least 4 years’ experience in leading ICT Security Services. Strong knowledge of security architectures and technologies including assessment, methodologies, compliance standards, etc.
• Knowledge of security standards and compliance like PCI, HIPAA, Sarbanes Oxley, ISO 27001, NIST, CSF, COBIT, ITIL, SANS 20.
• Good understanding and knowledge of risk assessment, risk procedures, security assessment, vulnerability management, penetration testing.
• Strong experience and ability to prepare RFP/RFI response, proposals and solutions and solid working knowledge of vendor programs and partner eco-system.
• Strong knowledge of Cloud architecture and its security concerns and solid knowledge of solutions from vendors.
• Good demonstrable knowledge and experience in securing mobile applications and API architectures.
• o cybersecurity, threats and how to ensure a security-conscious setup is used for all systems and infrastructure setups.