Work embedded as a member of squad OR; across multiple squads to produce, test, document and review algorithms & data specific source code that supports the deployment & optimisation of data retrieval, processing, storage and distribution for a business area.
The job holder will be a member of Absa bank Kenya Information Risk Management & Data Privacy Team responsible for implementing the information risk and Data Privacy/Protection programs in Absa bank Kenya. The primary function of the role is to ensure information/Data is protected effectively and consistently with its criticality. Also ensuring that Audit, Regulatory and Governance requirements are realized in the Bank.
Work with the Absa Kenya IRM team to build an implementation method for the IRM & Data Privacy policies
- Based on the Group design, the method will become the model for implementation across ARO, to ensure:
- Consistency of approach and interpretation where necessary
- Clear controls on exceptions where requested
- Businesses have clear communications channels for feedback and queries
Data Privacy Standards Implementation
- Consistent implementation of DP policy, data Standards and Procedures across the businesses.
- Maintain /Report Monthly Risk indicators
- Communications to emphasize the importance of Data Privacy
- Implement Absa operating framework for the management and control of Data Privacy in BAU
- Training and awareness, materials, from general awareness to subject matter experts.
- Publication of guidance on data privacy best practice.
- Data Privacy program Implementation
- Breach escalation.
- Implement and tracking of Data Privacy Training
- Provide Data Protection champions.
- Compilation and consolidation of Country DP risk profile
- Participating in new projects and products to check data privacy requirements
- Implementation of Logical Access Management Requirements
- Ensure PIAs are completed for new implementations, changes, projects and new products
- Review PIAs submitted by projects and product teams
- Review of submitted Data Privacy Related Dispensations, waivers and breaches
- Review and maintain a tracker on Data Privacy Related Dispensations, waivers and breaches
- Track country DP requirements implementation in respect of:
- Privacy notices roll out
- Personal Data lifecycle management (collection/creation, use/reuse, processing, storage/archiving & destruction)
- Personal data transfers & Further processing of personal data
- Direct marketing customer consent management
- Privacy related complaints.
- Data/Information security & safeguards.
- Incident Management
- Implementation of completeness and validation controls in systems
- Implementation of required privacy controls within the system/processes/products in line with the PIAs prior to go-live
- Remediation of Data Quality issues/gaps affecting Data Privacy/Protection
- Implementation of approved Data Privacy Retention Schedule
- Execution of Data Subject processes
- Monitor and report on Key Risk Indicators
- Guide the business in classification and categorization of records that contain personal Information
- Be a point of contact and give guidance to the business on Retention of Personal Information.
- Publication of guidance on privacy retention schedule
Data Leakage Protection
- Ensure the raised Data Leakage alerts that relates to Data Privacy are closed within SLA
- Give advice and guidance to other staff on how to secure and handle Personal Information
Controls & Risk Assessment
- Carry out Data Privacy reviews in sampled business units
- Facilitate the remediation and closure of all the issues picked regarding information
- Provide the information to create a threat profile.
- Clear controls on exceptions where requested
- Ensure the Businesses have clear communications channels for feedback and queries
- Publication of guidance on IRM best practice.
Issues and incident Management:
- Log and follow to closure the incidences reported within the business
- Report and escalate the incidences identified as per the DPIMS
- Maintain a data base of remediation issues identified and actions agreed, to ensure consistency of approach and common themes for reporting to ARO IRM team
- Identify remediation activity and agree action plans
- Consistency of approach and interpretation where necessary
- Ensure the implementation of and the monitoring of the Data Privacy Incident Management Standard within the Business
- Develop an implementation schedule for Business Units where required
Third Party Management
- Perform due diligence on all new 3rd Parties to ensure a duty of care is provided for data and information assets.
- Ensure risk is mitigated in accordance with policy and governance, and that regular reviews of risk are provided.
- Track Third party supplier obligations compliance on Data Privacy
- Review third party contracts for inclusion of DP requirements/schedules.
- Assess possibility of processing without transfer of personal data
- Ensure required exceptions to Binding Corporate Rules are considered and relevant BCR put in place
- Ensure embedment of Privacy notices
Policy, Audit & Regulatory translation
- Working with Information Risk Team, understand and enable group policy whilst ensuring local requirements are catered for.
- Monitor compliance of policy and standards and drive the closure of gaps.
- Communicate risk based policies and minimum standards and escalate approval of exceptions.
- Use risk management principles to safeguard Data Privacy, and the confidentiality, integrity and availability of information in accordance with the bank’s operating model and risk appetite.
- Be a custodian of Information Management in your locality
Project implementation in Kenya:
Work with line managers and local project teams to:
- Train them in the implementation methodology and their understanding of Data Privacy policies
- Adapt the methodology to fit the operating model of the local businesses
- Manage their queries - researched and answered promptly, and recorded on a data base
- Monitor their implementation v. plan, sample their deliverables, and challenge as appropriate
- Influence (but not run) new projects and provide steering to fix crucial Data Privacy Issues.
- Ensure that new projects follow the laid down process and Framework.
- Apply consistent Privacy risk indicators to all projects and identify those with high risk.
Collaborate with business units:
To ensure that:
- Each business adopts a consistent approach to policy implementation where necessary
- Their queries are managed - researched and answered promptly
- Each business submits a monthly progress report in an agreed format, and to an agreed standard of detail.
Training and Development
- Ensure that the mandatory Awareness Training programme that promotes and embeds a risk and security awareness culture within the business is carried out in each business unit
- Develop training and awareness, materials, from general awareness to subject matter experts
- Ensure each business unit has appointed information Risk Management Champion
- Train the IRM champions on a yearly basis on Privacy Requirements.
- Ensure that New Joiners induction training includes Information Risk awareness.
- Monitoring of LMS training
- Conduct awareness as requested by units
Technical skills / Competencies
Education and Experience Required:
- A degree from a reputable learning institution.
- Professionally Certified (e.g. in CRISC, CISM, CISA) or CISSP or similar certification.
- Accredited in Information Management/Information Sciences of 5 years in Financial Services or related industry.
- 4 years experience, preferably in IT Security and Risk management related role.
- Experience fulfilling a consulting role.
- Proven relationship with executive management and communication skills.
- Extensive Microsoft office skills (Word, Excel, PowerPoint, etc.)
- Reasonable understanding of the principles, practices, and techniques related to Information Risk Management.
- Knowledge and understanding of the implications, to Absa, of the laws and regulations associated with Payment Card Industry, Data Security Services (PCI, DSS).
- Knowledge of wider aspects of risk control, operations and processes.
- Detailed understanding of the Risk assessment processes.
- Experience of a consultancy working style (i.e. used to working collaboratively across the business – essential for undertaking the assessment roles)
- Information Management
- Experience of developing IRM Standards - Basic
- Quality Focus - Competent
- Implementation Management - Competent
- Influencing – Competent
- Information Security - Expert
- Understanding of compliance requirements relating to records retention – Competent
- Experience of developing communication and training strategies – Competent
- Understanding of records management technologies – Competent
- Planning and organization – Competent
- Problem solving – Competent
- Detailed understanding of the principles, practices, and techniques related to Information Risk Management.
- Technical Security background and experience of working on application developments
- A good understanding of the issues faced with outsourcing to external vendors and experience of conducting vendor assessments.
- Ability to influence senior management in relation to important Risk decisions.
- Proven leadership, relationship management and communication skills
Knowledge, Expertise and Experience
- Have core information risk management, confidence and a willingness to deliver.
- Good communication skills.
- Highly motivated and able to coordinate multiple activities across various disciplines.
- Experience of working in a financial organization would be beneficial.
- Awareness of operational risk disciplines, key risk indicators relevant to information risk and a business-focused approach to controls is also beneficial. However deep technical knowledge in any one discipline is not a requirement for this role.
- It is essential that the candidate has a resilient, flexible approach to work, as a pre-requisite for working effectively as part of Barclays Information Management team.
- He or she must be prepared to turn their hand to support other requirements if needed, while ensuring that the core IRM responsibilities are maintained.
- A proactive and hands-on approach is essential to demonstrate that the value that this role and function can add to our organization.
Bachelor's Degree: Information Technology
go to method of application »
Reporting to the Head of Technology Risk and Compliance, the role holder is responsible for ensuring that specific IT risk controls and solutions are applied and that they comply with the Technology Key Risk policy and standards, and consequently meets the businesses requirement and safeguards the Banks reputation.
IT Risk Identification and Control Assessment
- Assist in conducting effective local risk assessments to assess all new IT systems or Processes, clearly identifying the risks and issues and the controls and measures required to mitigate those risks / issues.
- Review and identify new risks that may be introduced into the business by any proposed change to IT Systems or Processes
- Assist in undertaking local 3rd Party Due Diligence for critical IT Vendors and Service Providers
- Conduct IT Security Controls Snap checks (CSA)and monitor IT Security activities e.g. application & system controls, physical and logical access security controls, review of disaster recovery and back-up procedures, media storage
- Report on the compliance levels and provide comprehensive MI reorting
- Follow-up on any IT Security weaknesses identified and put in place effective measures to safeguard the bank’s IT resources, information and reputation.
- Plan and take responsibility for the overall IT DR objectives of Kenya Technology
- Agree and manage IT DR deliverables with internal and external customers/role players
- In liaison with the technical teams, ensure recovery procedures/ processes (SRPs/TRIs) for all systems are documented and readily available
- Keep monthly BCE statistics and data to be provided in MI reporting to senior management and stakeholders
- Capture/analyse and draft information into meaningful MI reports for senior management, stakeholders, team reporting and presentation purposes
- Present findings and conclusions together with recommendations after IT DR tests
- To engage collaboratively with BCM stakeholders to ensure appropriate prioritisation of BCM system tiers
- Ensure all technology solutions have a working DR before deployment Demand pipeline management.
- Guide and govern suppliers for project related activities ensuring they understand and adopt Bank agreed standards and architectures along with adhering to policy and procedures.
- To work across all in-Country functions and to act as an interface point between ITSCM and Country BCM team
Key Risk Monitoring
- Assist in setting and measuring technology risk thresholds and the related key indicators.
- Ensure roles & responsibilities are defined and agreed for metric collation and ownership
- Ensure that Key Risk Indicators are monitored by Technology Senior Management, reasons for out of threshold indicators are defined and remediation is actively monitored.
- Ensure alignment of KRI position and CSA results
- Review major incidents (severity 1, 2 and 3), identify root cause ito control objectives and ensure consistency with CSA
- In conjunction with the Group Key Risk Owner, Operational Risk management and the central Technology Risk team define the loss / risk appetite for the country.
- Analyze TKR loss data and conclude on required actions to prevent exceeding loss budget
- Ensure that loss events are correctly attributed to TKR where applicable.
- Ensure action owners compile their own closures and define ongoing management controls
- Ensure that defined action plans are agreed with the responsible assurance providers and trackers are defined detailing actions, sub actions, deliverables, evidence, control maturity and action owners.
- Provide regular status update report to senior management commensurate with item status (at risk, on track, overdue)
- Ensure that all high/medium risk projects in the area are identified and RAG status from a risk perspective is tracked
- Ensure that ORIAs are completed, required actions taken and operational risks being migrated into production are defined, understood, accepted (RFNC) and remediation planned for all high/medium risk projects
- Ensure that high probability and high impact items on top project risk logs have adequate remedial actions defined.
- Be involved in project assurance reviews, as managed by the central project assurance team, where required.
Accountability: People Management
- Responsible for driving own Performance Development, collating relevant documentation, preparing for and arranging reviews.
- By utilizing skills matrix, identify training and development requirements, formulating own plan to be agreed with team leader.
- Responsible for ensuring own plan is completed within agreed timescales.
- Undertake all necessary training in order to perform the role to the required standards, including gaining accreditation where appropriate.
- Ensure that all activities and duties are carried out in full compliance with regulatory requirements, Enterprise Wide Risk Management Framework and internal Absa Policies and Policy Standards.
- Understand and manage risks and risk events (incidents) relevant to the role.
Knowledge& Skills: (Maximum of 6)
- Stakeholder Management Skills (Advanced)
- Analytical Skills (Advanced)
- Knowledge of Principles and Practices (Advanced)
- Knowledge of project management best practices (Advanced)
- Knowledge of banking and IT practices (Solid)
Competencies: (Maximum of 8 competencies)
- Deciding and initiating action
- Learning and researching
- Entrepreneurial and commercial thinking
- Relating and networking
- Adapting and responding to change
- Persuading and influencing
- Creating and innovating
Knowledge, Expertise and Experience
- B-degree, Commerce or a relevant banking or business degree or an Matric equivalent qualification or High Level diploma
- CISA/CRISK/CISM Certification
- Degree level education in an analytical subject would be beneficial
- 4 years’ experience and exposure to the Banking/ ICT Industry
- Displaying a thorough understanding of technology strategic issues in the banking or financial services sector
- A confident and motivated leader, with proven experience in motivating regional and global teams in a challenging, high pressure environment
- Good understanding of ITIL processes and associated concepts.
- High degree of commercial awareness with sound understanding of key contractual obligations and risks to maximize benefits
- Strong customer liaison and relationship management skills
- Excellent communication and presentation experience;
- Must be able to work under pressure, take clear ownership of issues and projects and drive to ensure a successful closure for the customer, peers and IT Production;
- Financial management – budget preparation and managing to budget;
- Working within a Global or Regional role
- Familiarity with ITIL-style management procedures and mainstream project management styles a distinct advantage;
- Experience of financial services preferred;
Higher Diplomas: Physical, Mathematical, Computer and Life Sciences (Required)