Officer, ICT Security at Strathmore University

Department: ICT Services (ICTS)

Reporting To: Assistant Manager, ICT Security Services

Basic job summary: As part of a team responsible for ICT Security Services the jobholder will be charged with the development and implementation of a comprehensive information and cyber security program that facilitates information security governance and management towards the protection of University information assets and resources by ensuring they have adequate controls to provide for their confidentially, integrity and availability in line with institutional requirements as well as to comply with applicable laws and regulations, for business risk reduction. This is to be accomplished by working closely with ICTS staff, University departments/offices, University staff, University management, vendors, auditors, among other stakeholders.

Duties & Responsibilities:

1. Project Management: To ensure allocated ICT security systems and services projects are well planned and managed professionally using appropriate project management methods and techniques to minimize risks to the University, while fully realizing expected business benefits within time and budget constraints.
2. System & Data Access: Maintain access rules to ICT systems and resources including applications and data and ensuring appropriate access control procedures are adhered to meet defined security standards while maintaining supporting documentation, and that access is based on least privilege and need basis, towards maintaining confidentiality and integrity of data.
3. Systems Security & Change Management: Liaise with the systems analysis, systems design, and systems development teams to provide security design review and approval for new University ICT systems and/or services as well as proposed changes to existing systems and/or services. Further is to work closely with ICT teams in their role as system custodians, as well as system owners, to deliberate on security risks affecting the respective systems, and by acting as subject matter expert on information and cyber security, recommend and follow up on implementation of appropriate controls an agreed remediation measures, which may involve a change in process or rollout of a new technology.
4. ICT Disaster Recovery (DR) Planning: Ensure development and maintenance of current DRPs that ensure systems’ resilience to support ongoing University operations. Further is to ensure ongoing testing of system backups through scheduled or ad hoc restoration exercises involving business systems owners’ signoff and making and recommending relevant adjustments to the plans as may be necessary in order to be within stipulated & expected timelines and thresholds (i.e. RPO, RTO, and SDO etc.).
5. Business Continuity Management (BCM): Be part of the team leading Business Continuity Management (BCM) coordination for ICTS in the University, charged with conducting awareness and coordinating ICT Business Continuity Planning (BCP) and DRP activities towards ensuring meticulous operation of the plans in time of an information/cyber security incident or disaster.
6. Information Security Incident Management: Be involved in the establishment of mechanisms for information and cyber security incident response management including monitoring, detecting, remediating and fully investigating security breaches to establish and treat the root cause (s) so as to minimize future occurrences as well as perform impact analysis.
7. Risk Assessment and Audit: Proactively monitor current and emerging information and cyber security risks and changes to laws and regulations that may present new business risks, and to detect weaknesses in the design and implementation of controls, carry out vulnerability assessment and penetration testing on University’s ICT systems, report identified weaknesses and follow-up on corrective action and its effectiveness. Further, is to engage and support internal and external auditors in their assignments and subsequently assist in laying effective remedial plans to resolve audit findings touching on information and cyber security matters including reporting on progress of corrective action.
8. Information & Cyber Security Awareness and Training: Design, recommend and carry out Information and Cyber Security awareness and training campaigns for all University stakeholders/constituents towards creating a culture of consciousness about information and cyber security risks and the different ways in which to avoid or mitigate such risks.
9. Policy Formulation and Compliance Monitoring: Participate in the formulation, review and updating of information and cyber security policies, related standards, procedures and guidelines and oversee their approval, dissemination and maintenance.
10. Professional Development: Grow and maintain professional development by attending educational workshops/seminars/conferences, reviewing professional publications, establishing professional networks and participating in professional societies.
11. Reporting and ICT Committees: Support decision making by formulating appropriate technical as well as managerial metrics and insights and using those to design concise and simple reports to apprise senior IT management, respective ICT Committees and/or business management on matters pertaining to the posture of ICT Security according to agreed schedule/cycles or on ad hoc basis. This further involves being part of and actively contributing to applicable ICT Committees.

Minimum Requirements:

Core qualifications

• Bachelor of Business Information Technology (BBIT), Bachelor of Science in Telecommunications (BSc. TC), Bachelor of Science in Informatics and Computer Science or an ICT related degree qualification.

Professional Qualification: 

• Windows, Linux Certification etc.
• Network and Network Security knowledge (CCNA/HP and CCNA Security etc.);
• ICT Risk and Security Controls knowledge (CISA, CISM etc.).

Experience:

• A minimum of 4 years of relevant experience in a highly automated and busy ICT environment.

2 years must have been in the area of systems and network administration or information, cyber or IT security.

Competencies and Attributes

• Thinks outside the box (creative);
• Analytical and pays attention to detail;
• Results – oriented;
• Works well under pressure,
• Team player;
• Problem solving focus;
• Good interpersonal & communication skills.
• Technical zeal;
• Strong time management & organizational skills;
• Self-discipline and drive;
• High integrity and ethical standards

Knowledge and Skills

• Demonstrate experience in IT Security including in cloud-based environments, mobile environments, virtual environments (vmware).
• Knowledge of Information security regulations, standards, and leading practices such as COBIT, ISO 27001, SANS 20, ITIL, etc.
• Knowledge in security technologies such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), SIEM, Firewalls etc.
• Practical information security experience in: Linux, Windows Server and Active Directory, LAN and WAN Networks, Application Controls, Security Testing, Physical Security etc.