Manager – Information, Communications Technology Risk & Data Protection
The job holder is responsible for overseeing the Bank’s Information Communication Technology (ICT) Risk and Data Protection framework to ensure controls are in place, direct the ICT Risk management and Data Privacy strategy, identify threat scenarios, quantify risks, provide independent assurance on implementation of the Bank’s business continuity management programs and work with stakeholders to ensure effective mitigation controls are in place and ensure compliance with all relevant regulatory requirements ,related policies & procedures.
- Governance and Compliance
- Information Security and Data Privacy & Protection Management
- Incidences Management
- Business Continuity and Disaster Recovery Management
Governance and Compliance
- Overseeing and implementing the Bank’s Information Security program and enforcing the Information Security policy/ framework and ensure up-to- date information security policies and standards are in place including the Information Technology Risk Management Plan.
- Review and update the Bank’s IT Risk Governance Framework.
- Ensure strict adherence to all regulations, statutes, standards, practices and all internal processes and procedures as per the relevant manuals and comply with all relevant external legislation and regulations with regard to compliance requirements.
- Ensure appropriate action plans and delivery dates are in place to address material risks and any open internal or external audit items or regulatory issues, and tracking these actions to completion.
- Review the compliance level to the Bank’s IT policies on a regular basis to ensure completeness and consistency with the current and prospective business activities.
- Assist to develop an Information Security Awareness Program, prepare curriculum for different set of users and execute the program.
- Participation in formulation of Risk Acceptance criteria while developing and maintaining ICT Risk Registers
- Providing guidance within the departments on topics related to IT risk management such as achieving compliance with standards and policies, staying within the risk appetite of the Bank.
- Establishing the Data Protection Regulation Governance, regulatory framework and implementation plan which shall include development of the various required statements and policies.
- Driving implementation of essential elements of the Data Protection Regulation, such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing, and notification and communication of data breaches.
- Regularly training of all internal stakeholders involved in data collection/processing, updating the training as well as conducting specific trainings for specific processing requirements.
- Maintaining data protection policies and procedures.
Information Security and Data Protection & Privacy Management
- Carry out information security reviews along the various phases of project lifecycles, as provided in the best practice project management frameworks, and recommend required controls.
- Ensure that the Bank information security policies, procedures and guidelines are incorporated into all application, product, systems and services lifecycles.
- Conduct oversight over and provide directions to any third-party service provider contracted to perform operational security functions such as information security monitoring, testing and threat intelligence.
- Ensure the Bank maintains a current enterprise -wide knowledge base of its users, devices, application and their relationships, including but now limited to:
- Software and hardware asset inventory
- Network maps (including boundaries, traffic and data flow); and
- Network utilization and performance data
- Keep up to date by researching on latest security and technology developments and evaluate emerging security threats and ways to manage them.
- Ensuring Record of Processing Activities (ROPA) are undertaken in line with data privacy laws.
- Creating an Information Base: Guide and support on the creation of an information base on Data Protection and any other elements which may be helpful to the controllers and the staff of the organization.
- Data Protection Regulations: Developing together with the business and support functions, carrying out impact assessments, data protection policies, guidelines, and processes to ensure that compliance is consistent and in line with the Data Protection Regulation.
- Support the business in preparation of digital and other privacy statements as may be required for the institutions and supporting functions and ensure processes are put in place for the institutions/support functions to collect consents from the relevant data subjects and partners, have relevant privacy statements provided on all company forms and/or literature, websites and other communication or data collection mediums.
- Networking with other Data Protection Officers to share information and keep up with information and emerging trends around data protection as well as following up on change in laws and make recommendations on changes required.
Business Continuity and Disaster Recovery Coordination
- Ensure the roles and responsibilities of managing information security and Data Privacy risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff.
- Ensure that BCP is in place and disaster recovery test plans to ensure that the Bank can continue to function and meet its regulatory obligations in the event of an unforeseen circumstances.
- Ensure the IT Disaster Recovery Plan is maintained, including annual reviews.
- Oversee the regular testing of the plan and update for major changes in hardware, applications, business and regulatory requirements accordingly.
- Coordinate testing and reporting of data backup restorations.
- Ensure adequate backups of critical IT systems and data in line with predetermined recovery objectives (e.g. real time back up of changes made to critical data) are carried out to a site that is unlikely to be affected by a disaster event at the main processing site.
- Creating and maintaining a register on comprehensive records of all data processing activities conducted by the company, including the purposes of all processing activities, which must be made public on request.
Monitoring and Review of Systems
- Conducting audits to ensure compliance, accountability and address potential issues proactively.
- Monitor security events received from the Bank’s security tools on applicable perimeter devices, systems, databases and servers for potential attacks, suspicious or anomalous activities.
- Assist in identifying new solutions to improve the ISO monitoring role in threat identification, detections and response capabilities.
- Strengthen the monitoring of system transactions integrity and events by review of the System audit logs and Escalation of noted anomalies.
- Analyze and document business process objectives and design to identify required information systems controls.
- Document the information security breaches and measure the damage caused.
- Escalate and report on incidents, potential gaps or risks as observed during monitoring activities.
- Serving as the Data Protection Officer and point of contact between the Companies, the Data Commissioner and other Regulatory Authorities and co-operating with them during inspections by answering any complaints or queries raised with regards to Data Protection.
- Handling queries or complaints internally or externally regarding data confidentiality and use.
- Reporting to the Head, Enterprise Risk Management.
- Providing status updates to the Head, Enterprise Risk Management and Senior Management on a regular basis (at least monthly) and drawing immediate attention to any failure to comply with the applicable information security and data protection programme requirements.
- Regularly report on IT Risks to Management and Board Audit & Risk Committee as well as send weekly report to the Executive Management on the information security risks and Data Protection compliance programme and follow through on closure of risks identified with relevant business owners.
- Share a monthly report on privilege access management and Bank wide compliance to the user access rights.
- Quarterly reporting to the board on the exceptions noted in user access management likely to impact the Confidentiality, Integrity and Availability of information.
- Any other duties as deemed necessary by the supervisor.
- Bachelor’s degree in Information Technology, Computer science, Cybersecurity, business, or related fields
- Strong knowledge of Information Security related frameworks/ Regulations such as CBK Cyber Security Guidelines, ISO 27001, ISO 27002, NIST Cyber Security Frameworks, COBIT, PCI DSS, Swift Customer Cyber Security Programme etc.
- Knowledge of Data Protection & Privacy laws Regulation such as the Kenya Data Protection Act and/or the EU General Data Protection Regulations (GDPR) is an added advantage.
- At least Five (5) years’ experience in Information Technology with proven hands on experience in the information security, risk or systems audit functions.
- Knowledge of information systems, software & security architectures, IT operational practices, project management, web security, encryption and programming languages.
- Proficient in interpreting and applying policies, standards and procedures.
SKILLS & COMPETENCIES
- Superior interpersonal, communication and report writing skills.
- Strong team player with proven leadership, managerial and team leadership skills
- Excellent analytical and problem-solving skills.
- Can exercise independence of judgement and autonomy.
- Ability to operate with a limited level of direct supervision.
- Excellent knowledge of information and cyber security tools and technologies.
- Ability to operate within 24hr shifts as and when required.
- Professional qualification such as CISA, CISM, CISSP, CEH, CRISC, Security +, CCISO, CTIA, CND, or equivalent.
Officer, Enterprise Risk
The job holder is responsible for ensuring that the overall risk management framework is continually improved and effective, with an aim of ensuring that the Bank operates within its risk appetite to ensure low risk profile.
KEY RESPONSIBILITIES AND ACTIVITIES
Operational Risk Management
- Assist in development of operational risk mitigation strategies for the bank’s critical risks and for monitoring the risks
- Monitoring and reviewing
- Support process owners and risk champions with identification of key risk indicators in their respective functions aimed at mitigating those risks
- Operation Risk Mapping & Risk registers update
- Assist in development and communication of operational risk management tools including RCSA and incident reporting
- Continuously updating and monitoring Incidents emanating from branches and departments
Financial Risk Management
- Conducting regular CAMEL rating analysis on banks performance
- Conducting regular Credit portfolio analysis including concentration risk, performance analysis and stress testing and advise management accordingly
- Assist in regular updating of the bank’s capital adequacy document (ICAAP).
- Conduct risk review of new products
- Weekly data update on Bonds Var and Bonds MTM – reporting based on the existence of FVOCI/PL Bonds
- Daily Counterparty Limits Monitoring – reporting based on escalation need and monthly management reports
- Annual deposits Behavioral Analysis
- Monthly reports on key risk Indicators as detailed in the handover notes.
- Monthly and Quarterly reports on Fx VAR, KDIC Camel rating, industry analysis and peer analysis
- Design and implement overall operational risk management and business continuity process for the bank.
- Conduct audits of policy and compliance to standards, processes and procedures.
- Assist in review of existing policies and procedures
- Conduct ad hoc analysis and assessments
- Ensure quarterly collection of data on the KRIs
Credit Risk Management
- Conduct credit portfolio analysis including stress testing, concentration risk and performance analysis
- Prepare updates on the current and emerging risk exposures within the bank’s own portfolio and across the market
- Continuous update of the Risk Registers on credit risk
- Assist management in defining and propose revisions of risk appetites for credit risk
- Preparation of risk self-assessment checklist
- Ensure quarterly collection of data on the KRIs for credit risk
- Conduct ad hoc credit analysis and assessments
- Follow up for closures of issues raised from the assessments
- Recommend improvement in credit risk appetite, process, procedure and policies
KNOWLEDGE, SKILLS & EXPERIENCE
- University degree in a relevant business discipline e.g. business administration or finance
- At least three (3) years’ experience in a financial sector
- Sound understanding of operational risk management
- Ability to understand and interpret financial information and principles
- Proficient in excel
- Thorough understanding of CBK regulatory framework and Anti Money Laundering regulations
- Good analytical skills
- Good Organizing and planning skills
- Highly effective communicator with excellent interpersonal and motivational skills