Chief Information Security Officer & Data Protection Officer at Family Bank Ltd

Are you a go getter, positive minded individual who fits the role profile captured below? There is an opportunity for ambitious, self-driven individuals to fill the above position.

REPORTING TO: CHIEF RISK OFFICER.

Job Purpose: Assist the Chief Risk Officer(CRO) to promote an organizational culture of shared cybersecurity ownership and data protection compliance in line with the Central Bank of Kenya’s guidance note on cybersecurity for the banking sector and the Data Protection Act of 2019.

Key Responsibilities:

• Ensuring that the Bank maintains a current enterprise-wide knowledge base of its users, devices, applications and their relationships, including but not limited to; Software and hardware asset inventory; Network maps (including boundaries, traffic and data flow); and Network utilization and performance data.
• Act as the primary point of contact within the bank for members of staff, regulators and any relevant public bodies on issues related to data protection and cybersecurity.
• Conduct regular and comprehensive cyber security and data protection assessments that consider people (i.e. employees, customers, outsourcing and other external parties), processes, projects, change, data, technology across all the Bank’s business lines and locations.
• Maintain and oversee policies, processes and control techniques to address all applicable cybersecurity and data protection risks.
• Ensure the roles and responsibilities of managing cyber risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff.
• Assist CRO in overseeing and implementing the institution’s cybersecurity and data protection program and enforcing the related policies.
• Incorporate the utilization of scenario analysis to consider a material cyber-attack, litigation against the bank.
• Ensure frequent data backups of critical IT systems (e.g. real time back up of changes made to critical data) are carried out to a separate storage location.
• Regularly review and ensure all servers, routers, switches, firewalls and user PCs are up to date with the latest patches, antivirus and all unnecessary services and applications are disabled or uninstalled.
• Reviews privileged user access and activities in line with the privileged access management standard. Sensitize use of strong passwords on all systems.
• Ensure quarterly review of system user accounts.
• Conduct project cybersecurity and data protection assessments.
• Continuously test disaster recovery and Business Continuity Plans (BCP) arrangements to extent of cybersecurity and data protection.
• Assist the CRO in institution of a robust training program on professional cyber related and data protection trainings to improve technical proficiency of staff.

Reporting

• Reporting to the Board and CEO on an agreed interval but not less than once per quarter on the following:
• Assessment of the confidentiality, integrity and availability of the information systems in the institutions.
• Detailed exceptions to the approved cybersecurity policies and procedures.
• Cyber risk identification.
• Assessment of the effectiveness of the approved cybersecurity program.
• All material cybersecurity events that affected the institution during the period.
• Report to CBK on a quarterly basis the occurrence and handling of cybersecurity incidents.
• Report to the Data Commissioner as guided by the data protection regulations.
• Immediately report to the Board, CEO, CSIRT and CRO on detected ICT and Information Security critical incidents.
• Any other official duties as assigned by the management from time to time.

The Person:

The ideal candidate must possess the following:

Qualifications

• A Bachelor’s degree holder in IT related field.
• Minimum 10 years’ experience in cybersecurity management preferably within the financial sector.
• In depth understanding of the data protection act of 2019 and the European data protection laws (GDPR).
• Professional information security certification: CISM/CISA/CISSP or Network certification: CCNA, CCNP.
• Certificate in Data Protection.
• A good understanding of the relevant legislative requirements especially the Banking Act and Central Bank of Kenya (CBK) prudential guidelines.
• Strong background in information technology with a clear understanding of the challenges of information security.

Personal Attributes/Competencies

• High level of integrity.
• Ability to work under pressure and for long and odd hours.
• Proficiency and experience in designing Information Security control framework and metrics, as well as implementing them effectively.
• Excellent project management and planning skills.
• Excellent communication and presentation skills.
• Strong analytical capabilities and problem solving skills to interpret data and draw conclusions.
• A risk management mind-set and a good grasp of risk management in a commercial bank.
• Solution oriented.
• Strong people leadership, communications and negotiation skills
• Self-starter, passionate and instrumental in ideas generation and execution
• Ability to train, motivate and develop staff