ICT Risk and Data Protection Analyst at Sidian Bank

JOB PURPOSE

The role holder will assist in providing continuous independent assurance of the Bank’s Information Communication Technology (ICT) Risk and Data Privacy framework as regards to Governance, IT Risk Assessments, Risk Response & Reporting, Information Security, Privacy Architecture and Data Lifecycles of Bank’s IT assets, projects and processes. The role holder will also assist in ensuring that ICT and Data Privacy risks are managed in compliance to the Bank’s policies, laws, regulatory guidelines and applicable standards.

KEY RESPONSIBILITIES

• Carry out ICT risk assessments of the Bank’s systems and provide recommendations of appropriate and adequate IT security controls to mitigate and minimize ICT Risks.
• Participate and coordinate updating ICT Risks registers.
• Promote Information security awareness within the Bank by providing consultation, guidance and conducting relevant awareness programs to ensure an Information Security complaint culture.
• Proactively anticipate potential threat and vulnerabilities and provide guidance in coordination with the IT department on effective responses or control measures to be implemented to mitigate them.
• Support the operationalization and update of Business Continuity Program (BCP) and Disaster Recovery (DR) test plans to ensure that the Bank can continue to function and meet its regulatory obligations in the event of an unforeseen circumstances.
• Working with IT Department, coordinate the development of Business Impact Analysis (BIAs) in line with the Bank’s risk management framework.
• Support Data Protection Program by providing analysis and documentation of data processing operations, data flow, services, applications, etc. and to contribute to the identification of Data Privacy risks, risk mitigation in order to comply with Kenya Data Protection Act and the Bank’s policies.
• Work with other members of the Data Protection team to action and administer the Data Privacy Impact Risk Assessments (DPIAs), identifying where assessments are required and working with business. stakeholders to drive completion of DPIAs, maintaining full and complete records and timetables for review.
• Support Red Teaming exercises by simulating advanced persistent threat (APT) scenarios, testing the effectiveness of security controls, identifying exploitable vulnerabilities across systems and applications, and working with stakeholders to strengthen detection and response capabilities.
• Keep up to date with emerging information security trends, and understand, relevant laws and regulations such as data privacy laws.
• Execute any other duties and projects that may be assigned to you by the Line Manager or/and Head of Department.

ACADEMIC BACKGROUND

• Bachelor’s degree in Information Technology, Computer Science, Cybersecurity or another IT related field.

WORK EXPERIENCE

• At least 5 years in Information Technology with proven hands on experience in Information Security, IT Risk, IT Audit or Cyber Security role.

SKILLS & COMPETENCIES

• Understanding of ICT risk, Data Privacy Risk and systems security control processes.
• Knowledge of Information Security related frameworks/ Regulations such as CBK Cyber Security Guidelines, ISO 27001, ISO 27002, NIST Cyber Security Frameworks, COBIT, PCI DSS, Swift Customer Cyber Security Programme etc.
• Understanding of Information systems Architecture and operational practices.
• Appreciation of IT Risk Assessment and Audit Methodologies.
• Knowledge of cybersecurity good practices (Identity and Access Management, Data Protection, Penetration Testing etc.)
• Knowledge of Data Protection & Privacy laws Regulation such as the Kenya Data Protection Act and/or the EU General Data Protection Regulations (GDPR).
• Highly proactive and able to work independently.
• Excellent written communication skills, demonstrating the ability to document with purpose, clarity, and accuracy.
• Strong inter-personal and group/team process skills, problem-solving and judgment skills.
• Strong systems thinking and analytical approaches to problem solving.

PROFESSIONAL CERTIFICATION

• Professional qualification in IT Security, IT Risk, IT Audit & Data Privacy such as CISA, CISM, CISSP, CEH, CRISC, Security +, CCISO, CTIA, CND, CIPM, CDPSE or equivalent will be an added advantage.