Manager – Information, Communications Technology Risk & Data Protection at Sidian Bank

JOB PURPOSE

The job holder is responsible for overseeing the Bank’s Information Communication Technology (ICT) Risk and Data Protection framework to ensure controls are in place, direct the ICT Risk management and Data Privacy strategy, identify threat scenarios, quantify risks, provide independent assurance on implementation of the Bank’s business continuity management programs and work with stakeholders to ensure effective mitigation controls are in place and ensure compliance with all relevant regulatory requirements ,related policies & procedures.

KEY RESPONSIBILITIES

• Governance and Compliance
• Information Security and Data Privacy & Protection Management
• Incidences Management
• Business Continuity and Disaster Recovery Management
• Reporting

MAIN ACTIVITIES 

Governance and Compliance

• Overseeing and implementing the Bank’s Information Security program and enforcing the Information Security policy/ framework and ensure up-to- date information security policies and standards are in place including the Information Technology Risk Management Plan.
• Review and update the Bank’s IT Risk Governance Framework.
• Ensure strict adherence to all regulations, statutes, standards, practices and all internal processes and procedures as per the relevant manuals and comply with all relevant external legislation and regulations with regard to compliance requirements. 
• Ensure appropriate action plans and delivery dates are in place to address material risks and any open internal or external audit items or regulatory issues, and tracking these actions to completion.
• Review the compliance level to the Bank’s IT policies on a regular basis to ensure completeness and consistency with the current and prospective business activities.
• Assist to develop an Information Security Awareness Program, prepare curriculum for different set of users and execute the program.
• Participation in formulation of Risk Acceptance criteria while developing and maintaining ICT Risk Registers 
• Providing guidance within the departments on topics related to IT risk management such as achieving compliance with standards and policies, staying within the risk appetite of the Bank.
• Establishing the Data Protection Regulation Governance, regulatory framework and implementation plan which shall include development of the various required statements and policies.
• Driving implementation of essential elements of the Data Protection Regulation, such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing, and notification and communication of data breaches.
• Regularly training of all internal stakeholders involved in data collection/processing, updating the training as well as conducting specific trainings for specific processing requirements.
• Maintaining data protection policies and procedures.

Information Security and Data Protection & Privacy Management

• Carry out information security reviews along the various phases of project lifecycles, as provided in the best practice project management frameworks, and recommend required controls.
• Ensure that the Bank information security policies, procedures and guidelines are incorporated into all application, product, systems and services lifecycles. 
• Conduct oversight over and provide directions to any third-party service provider contracted to perform operational security functions such as information security monitoring, testing and threat intelligence.
• Ensure the Bank maintains a current enterprise -wide knowledge base of its users, devices, application and their relationships, including but now limited to:

• • Software and hardware asset inventory
  • Network maps (including boundaries, traffic and data flow); and
  • Network utilization and performance data

• Keep up to date by researching on latest security and technology developments and evaluate emerging security threats and ways to manage them.
• Ensuring Record of Processing Activities (ROPA) are undertaken in line with data privacy laws.
• Creating an Information Base: Guide and support on the creation of an information base on Data Protection and any other elements which may be helpful to the controllers and the staff of the organization.
• Data Protection Regulations: Developing together with the business and support functions, carrying out impact assessments, data protection policies, guidelines, and processes to ensure that compliance is consistent and in line with the Data Protection Regulation.
• Support the business in preparation of digital and other privacy statements as may be required for the institutions and supporting functions and ensure processes are put in place for the institutions/support functions to collect consents from the relevant data subjects and partners, have relevant privacy statements provided on all company forms and/or literature, websites and other communication or data collection mediums.
• Networking with other Data Protection Officers to share information and keep up with information and emerging trends around data protection as well as following up on change in laws and make recommendations on changes required.

Business Continuity and Disaster Recovery Coordination

• Ensure the roles and responsibilities of managing information security and Data Privacy risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff.
• Ensure that BCP is in place and disaster recovery test plans to ensure that the Bank can continue to function and meet its regulatory obligations in the event of an unforeseen circumstances.
• Ensure the IT Disaster Recovery Plan is maintained, including annual reviews. 
• Oversee the regular testing of the plan and update for major changes in hardware, applications, business and regulatory requirements accordingly. 
• Coordinate testing and reporting of data backup restorations.
• Ensure adequate backups of critical IT systems and data in line with predetermined recovery objectives (e.g. real time back up of changes made to critical data) are carried out to a site that is unlikely to be affected by a disaster event at the main processing site.
• Creating and maintaining a register on comprehensive records of all data processing activities conducted by the company, including the purposes of all processing activities, which must be made public on request.

Monitoring and Review of Systems

• Conducting audits to ensure compliance, accountability and address potential issues proactively.
• Monitor security events received from the Bank’s security tools on applicable perimeter devices, systems, databases and servers for potential attacks, suspicious or anomalous activities.
• Assist in identifying new solutions to improve the ISO monitoring role in threat identification, detections and response capabilities.
• Strengthen the monitoring of system transactions integrity and events by review of the System audit logs and Escalation of noted anomalies.
• Analyze and document business process objectives and design to identify required information systems controls.

Incidences Management

• Document the information security breaches and measure the damage caused.
• Escalate and report on incidents, potential gaps or risks as observed during monitoring activities.
• Serving as the Data Protection Officer and point of contact between the Companies, the Data Commissioner and other Regulatory Authorities and co-operating with them during inspections by answering any complaints or queries raised with regards to Data Protection.
• Handling queries or complaints internally or externally regarding data confidentiality and use.

Reporting

• Reporting to the Head, Enterprise Risk Management.
• Providing status updates to the Head, Enterprise Risk Management and Senior Management on a regular basis (at least monthly) and drawing immediate attention to any failure to comply with the applicable information security and data protection programme requirements.
• Regularly report on IT Risks to Management and Board Audit & Risk Committee as well as send weekly report to the Executive Management on the information security risks and Data Protection compliance programme and follow through on closure of risks identified with relevant business owners. 
• Share a monthly report on privilege access management and Bank wide compliance to the user access rights.
• Quarterly reporting to the board on the exceptions noted in user access management likely to impact the Confidentiality, Integrity and Availability of information.
• Any other duties as deemed necessary by the supervisor.

ACADEMIC BACKGROUND

• Bachelor’s degree in Information Technology, Computer science, Cybersecurity, business, or related fields
• Strong knowledge of Information Security related frameworks/ Regulations such as CBK Cyber Security Guidelines, ISO 27001, ISO 27002, NIST Cyber Security Frameworks, COBIT, PCI DSS, Swift Customer Cyber  Security Programme etc.
• Knowledge of Data Protection & Privacy laws Regulation such as the Kenya Data Protection Act and/or the EU General Data Protection Regulations (GDPR) is an added advantage.

WORK EXPERIENCE

• At least Five (5) years’ experience in Information Technology with proven hands on experience in the information security, risk or systems audit functions.  
• Knowledge of information systems, software & security architectures, IT operational practices, project management, web security, encryption and programming languages.
• Proficient in interpreting and applying policies, standards and procedures.

SKILLS & COMPETENCIES

• Superior interpersonal, communication and report writing skills.
• Strong team player with proven leadership, managerial and team leadership skills
• Excellent analytical and problem-solving skills.
• Can exercise independence of judgement and autonomy.
• Ability to operate with a limited level of direct supervision.
• Excellent knowledge of information and cyber security tools and technologies.
• Ability to operate within 24hr shifts as and when required.

PROFESSIONAL CERTIFICATION

• Professional qualification such as CISA, CISM, CISSP, CEH, CRISC, Security +, CCISO, CTIA, CND, or equivalent.