Principle Accountabilities

Identify, assess and evaluate ICT risks to enable the execution of the enterprise risk management strategy;

• Collect information and review documentation to ensure that ICT risk scenarios are identified and evaluated.
• Identify legal, regulatory and contractual requirements and organizational policies and standards related to information systems to determine their potential impact on the business objectives.
• Identify potential threats and vulnerabilities for business processes, associated data and supporting capabilities to assist in the evaluation of ICT risk.
• In liaison with ICT department ensure that an ICT risk register is created and maintained and that all identified risk factors are accounted for.
• Analyse ICT risk scenarios to determine their impact on business objectives.
• Correlate identified ICT risk scenarios to relevant business processes to assist in identifying risk ownership.

Develop and implement ICT risk responses to ensure that risk factors and events are addressed in a cost-effective manner and in line with business objectives;

• Identify and evaluate ICT risk response options and provide management with information to enable risk response decisions.
• Assist in the development of risk response action plans to address risk factors identified in the organizational risk profile.
• Monitor ICT risk and communicate information to the relevant stakeholders to ensure the continued effectiveness of the enterprise’s risk management strategy;
• Collect and validate data that measure key ICT risk indicators (KRIs) to monitor and communicate their status to relevant units.
• Monitor and communicate key ICT risk indicators (KRIs) and management activities to assist relevant stakeholders in their decision-making process
• Facilitate independent ICT risk assessments and risk management process reviews to ensure they are performed efficiently and effectively.
• Identify and report on ICT risk, including compliance, to initiate corrective action and meet business and regulatory requirements.

IT Policies & Governance;

• Ensure that all ICT policies and procedures are compliant with regulatory requirements.
• Maintain a schedule of policy review and ensure submission for approval

Disaster Recovery;

• Maintain the ICT Disaster Recovery Plan including annual reviews.
• Coordinate regular testing Disaster Recovery plan and update for major changes in hardware, applications, business and regulatory requirements accordingly.
• Coordinate testing and reporting of data backup restorations in accordance with Key Performance Indicators (KPIs).

Projects and Initiatives;

• Participate in ICT projects and initiatives to bring pro-active risk management focus into solutions.

Audits and Reviews;

• Serve as liaison to auditors and consultants regarding documentation and review of information compliance.
• Communicate audit and review results to appropriate parties and ensure that issues are addressed and corrective actions are implemented.
• Keep a tracking action list of all audit issues

Business Continuity Coordination

• Manage business continuity by identifying key business processes, conducting Business Impact Analysis, conducting Risk Analysis and instituting mitigating actions accordingly.
• Facilitate business continuity and disaster recovery tests
• Monitoring new and existing processes for continuity needs to enable optimal business performance
• Coordinating and liaising with stakeholders in incident documentation, resolution and crisis management in the organization after approval by the Crisis Management Team for business continuity.
• Training of members of staff on Business Continuity Management in liaison with Human Resources
• Liaising with alternate business continuity sites for timely support during crisis management
• Conduct red team exercise

Others;

• Assist with investigations on alleged violations of the Bank’s information security policies.
• Maintains technical knowledge by attending educational workshops and reviewing publications

Requirements

Technical competencies

• Strong analytical and problem-solving skills with the ability to translate data into actionable insights.
• Ability to undertake security assessment and testing to reveal flaws in the security mechanisms of information systems including specific elements of confidentiality, integrity, authentication, availability, authorization and non-repudiation.
• Requires in-depth knowledge of security issues, techniques and implications across all existing computer platforms.
• Knowledge and good understanding of Information security control objectives.
• Fair understanding of information systems architecture and operational practices.
• Strong business acumen

Minimum Qualifications, Knowledge and Experience

Educational Background

• Minimum of a Bachelor’s Degree in Cybersecurity, Computer Science, Information Systems, Information security or similar technology-related field – Minimum Upper 2nd Class honors.
• Relevant certifications in Information Security and Risk Management knowledge areas such as CRISC, CISM, CISSP or equivalent, Information Systems Audit, Information Security Management and Ethical Hacking.

CBCI from the Business Continuity Management Institute and or Master’s degree are an added advantage. 

Experience

• At least 7 years of experience working in an ICT environment.
• At least 5 years of experience at middle level management within technology security, risk or assurance functions.
• Practical knowledge of risk and control frameworks and application in financial services industry.
• Practical Knowledge of CBK guidelines on BCM and ICT Risk Management