Information Security Manager at Credit Bank

Reports To: Chief Manager Risk And Compliance

Division: Head Office

Protecting Something Valuable

Job Purpose

Responsible for providing continuous independent assurance on the bank's Information Security as regards confidentiality, integrity and availability of the IT infrastructure, processing systems and related resources in line with the Information Security Policy.

Key Responsibilities

1. Overseeing and implementing the bank’s cybersecurity program and enforcing the
2. cybersecurity policy.
3. Ensuring that the bank maintains a current enterprise-wide knowledge base of its users, devices, applications, and their relationships, including but not limited to:
   1. Software and hardware asset inventory,
   2. Network maps (including boundaries, traffic and data flow)
   3. Network utilization and performance data.
4. Ensuring that information systems meet the needs of the Bank and the ICT strategy, in particular information system development strategies, comply with the overall business strategies, risk appetite and ICT risk management policies of the bank.
5. Design cybersecurity controls with the consideration of users at all levels of the bank, including internal and external users.
6. Ensure an updated risk register is in place in order to keep abreast of the latest risks facing information technology and ways to mitigate them.
7. Organizing professional cyber related trainings to improve technical proficiency of staff members.
8. Supervise the design and execution of a comprehensive cyber risk assessments, vulnerability assessments, penetration tests and security audits are conducted.
9. Ensuring that adequate processes are in place for monitoring IT systems to detect
10. cybersecurity events and incidents in a timely manner.
11. Reporting to the Head of Risk & Compliance on an agreed intervals on detailed exceptions to the approved cybersecurity policies and procedures, assessment of the effectiveness of the approved cybersecurity programs, all material cybersecurity events that affects the bank during the period and assessment of the confidentiality, integrity and availability of the information systems in the bank.
12. Ensuring timely update of the incident response mechanism and Business Continuity
13. Plan (BCP) based on the latest cyber threat intelligence gathered.
14. Incorporate the utilization of scenario analysis to consider a material cyber-attack, mitigating actions, and identify potential control gaps.
15. Ensuring frequent data backups of critical IT systems are carried out.
16. Ensuring the roles and responsibilities of managing cyber risks, including in emergency orcrisis decision-making, are clearly defined, documented, and communicated to relevant staff members.
17. Continuously test disaster recovery and Business Continuity Plans (BCP) arrangements to ensure that the bank can continue to function and meet its regulatory obligations in the event of an unforeseen attack through cyber-crime.
18. Ensure timely submission of Risk Control Self-Assessment (RCSA) exercise and all identified risks and gaps are followed up for mitigation.
19. Ensure timely submissions of cyber security returns to the regulator.
20. Ensure compliance to regulatory notices and guidelines.

Selection Criteria

1. Degree in Information Security/Computer Forensics/Computer Science/Information Technology Information security certifications e.g., CISM, CISSP, CEH, GIAC, OSCP
2. Demonstrate a good understanding of IT Security administrative operations and controls around Network, Operating Systems Applications and Databases
3. Knowledge in System administration, Network Administration, Operating Systems administration (Linux and Windows) as this will be critical for the execution of risk assessments
4. Possession of ISO 27001 or ISO 31000 certification is an added advantage
5. At least 5 years’ experience in IT Security field
6. Good communication and report writing skills required for preparation of Board Reports on Cybersecurity risks
7. Team player and attention to detail