Principle Accountabilities

Information Security Governance, Data Protection and Compliance Requirements

• Data Protection and Privacy (30%) - Facilitate data privacy through transparent data protection policies, procedures and systems. Additionally, the role shall;
• Act as point of contact with any supervisory authorities and internal teams on data processing-related issues
• Identify and evaluate the organization’s data processing activities
• Provide guidance in conducting Data Protection Impact Assessments (DPIAs)
• Inform and advise the organization (data controller/data processor) and employees involved in data processing of their obligations to comply with Data Protection Act and other applicable regulations.
• Monitor Compliance with the Data Protection Act, as well as internal polices related to various data protection activities, including awareness, training, and internal audits
• Co-operate with the Data Commissioner and any other authority on matters relating to data protection.
• Information Security Management System (ISMS) Benchmarking with industry best practice/standards (10%)
• Provide guidance to ICT and drive technology best practices (COBIT, ISO 27001, PCI DSS), while enshrining these with the ICT policies and practices.
• Regulatory Compliance (10%) - Keep up-to-date with regulatory guidelines (e.g. CBK prudential guidelines etc.) affecting information technology and information security, and continuously update the organization’s policies, standards and procedures
• Risk & Audit Management (20%)
• Manage risk management tools and practices within ICT; including Risk Control Self Assessments (RCSA) and ICT risk registers, across the organization.
• Manage and act as the key liaison for all Internal and External ICT and IS audit and risk assessment engagements across the organization.
• Track and report on ICT audit and risk findings, including managing ICT management forums for discussion and reporting of these findings.
• Manage the Information Security Awareness program across the organization and with external stakeholders, including awareness trainings, tools and reporting.
• Risk champion for the ICT department
• Business Continuity Planning (10%)
• Manage the ICT Business Continuity Program across the organization.
• Manage the ICT Business Impact Analysis process and outputs.
• In liaison with the other ICT stakeholders, maintain up-to-date disaster recovery plans and ensure recovery procedures are effective for restoration of key ICT systems and therefore resumption of critical business processes
• Manage Disaster Recovery and backup testing schedules, reporting and remedial actions.
• Regular monitoring and reporting on any significant gaps on ICT business continuity practices, including data replication and backups.

Cybersecurity Assurance Requirements

• System user access management (10%) - maintain a robust program for system user access management.
• Business projects assurance (10%)
• Participate and contribute towards developing and supporting progressive ICT practices (e.g. agile, DevOps)
• Provide ICT security assurance to business projects to ensure that any new products, services, channels and other ICT changes introduced meet the security compliance threshold.

Key Competencies and Skills

Technical Competencies

• Knowledge to develop and manage Information Security strategy and policy frameworks.
• Technical skills to effectively perform IS security management activities/tasks in a manner that consistently achieves established quality standards or benchmarks.
• Knowledge of the Kenya Data Protection Act (2019) and related laws as well as applicable CBK Prudential Guidelines on data protection and privacy.
• Knowledge to develop and manage Business Continuity and Disaster Recovery plans and processes.
• Knowledge and effective application of all relevant banking policies, processes, procedures and guidelines to consistently achieve required compliance standards or benchmarks.
• Knowledge and application of modern IS security management practices and best practice compliance standards in financial services industry, to proactively define and implement security quality improvements in line with technological and product changes.
• Performance management to optimise personal and team productivity.

Behavioural Competencies:

• Interpersonal skills to effectively communicate with and manage expectations of all team members and other stakeholders who impact performance.
• Self-empowerment to enable the development of open communication, teamwork and trust that are needed to support true performance and a customer-service-oriented culture.
• Demonstrable integrity and ethical practices.

Minimum Qualifications, Knowledge and Experience

Ideal Job Specifications

• Bachelor’s Degree in, Information Systems, Computer Science, Information Security or related field required
• At least 7 years’ experience in IT, Information Security or IT Governance, with 2 years in a managerial role within a highly digitized organization.
• 3+ years’ experience conducting IT compliance assessments or IT governance and assurance/compliance assessments in an organization
• Relevant certifications in information security knowledge areas, such as Information Systems Audit, Information Security Management and Business Continuity/Disaster Recovery.
• Knowledge of information security best practice & compliance standards.
• Knowledge and experience in audit management and reporting
• Knowledge of relevant CBK Prudential Guidelines and laws applicable to data protection and privacy.
• Prior experience working within a financial service organization will be an added advantage