IT Governance and Compliance Analyst at NCBA Group

Job Purpose Statement

The IT Governance and Compliance Analyst ensures effective management of IT risks and controls by developing, implementing, and maintaining a robust IT governance framework. This includes aligning IT with business objectives, ensuring compliance with regulations and industry standards, and mitigating cybersecurity risks to protect organizational assets and maintain operational integrity.

Key Accountabilities (Duties and Responsibilities)

Governance Framework (10%):

• Develop and implement a comprehensive IT governance framework aligned with business strategy, risk appetite, and regulatory requirements.
• Define and articulate IT governance principles, policies, and procedures.
• Oversee the implementation of IT governance best practices, including COBIT, NIST, PCI DSS, ISO 27001, and ISO 31000.

Compliance Management (10%):

• Monitor and ensure compliance with cybersecurity frameworks, regulatory requirements, and internal security policies.
• Lead the preparation for and execution of cybersecurity audits and assessments.
• Maintain up-to-date knowledge of current and emerging cybersecurity regulations and standards.

Risk Management (40%):

• Lead and conduct comprehensive risk assessments, including threat modeling, vulnerability scans, penetration testing, and business impact analyses.
• Develop and maintain a comprehensive Risk Register, documenting identified risks, their likelihood and impact, and chosen risk treatment strategies.
• Develop and implement risk mitigation plans in collaboration with relevant stakeholders.
• Monitor and track key risk indicators (KRIs) and key performance indicators (KPIs) related to IT risk.
• Conduct regular risk reviews and updates to ensure accuracy and completeness of risk assessments.
• Develop and implement a risk-based approach to decision-making across all IT-related activities.

Training & Awareness (30%):

• Conduct IT governance, risk management, and cybersecurity training and awareness programs for employees to ensure compliance with policies and procedures.
• Provide guidance to IT on regulatory and compliance matters, supporting a culture of compliance.

Continuous Improvement (10%):

• Develop tactical governance and compliance reports highlighting key metrics and risk insights.
• Champion a culture of continuous improvement by driving secure systems, a resilient workforce, and informed decision-making.

Job Specifications

• Bachelor's degree in Cybersecurity, Information Technology, Business, or related field.
• Relevant professional certifications such as CISA, CISM, CRISC, CGEIT, or ISO 27001 are highly preferred.
• Proven experience in cybersecurity governance, risk management, and compliance (minimum 3-5 years).
• In-depth knowledge of cybersecurity standards and frameworks (e.g., NIST, ISO 27001, PCI-DSS, GDPR).
• Familiarity with regulatory requirements and the ability to interpret and implement compliance standards.
• Proven experience in conducting threat modeling exercises, vulnerability assessments, and business impact analyses.
• Strong understanding of risk management methodologies and frameworks.
• Strong analytical, problem-solving, and communication skills.
• Ability to work collaboratively across teams and present complex information to non-technical stakeholders.
• Knowledge of cloud security and privacy compliance.
• Familiarity with data protection and privacy laws.

Behavioral Competencies:

• Strong attention to detail and organizational skills.
• Ability to work independently and manage multiple tasks simultaneously.
• Strong interpersonal skills and the ability to collaborate effectively with teams at all levels.