The Information Security Officer will implement selected cyber information technology security initiatives with the information technology lines of business to protect their applications and supporting infrastructure from both internal and external threats.
Assists in the management of risks, ensures compliance with regulatory requirements regarding information technology security.
Ensures the appropriate use of assets and educates employees about their information technology security responsibilities.
Assesses and records risk findings and recommends appropriate mitigating controls and plays an enablement role to support IT with risk remediation efforts.
Key responsibilities :
Ensure that conditions for lawful processing of personal information and measures set out in POPIA are complied with
Ensure that a manual and compliance framework is developed and updated, monitored, maintained, and made available as prescribed by POPIA
Participation in Group Information Security Programme (GISP) with regular feedback to the Cluster Manco, on Group-wide information security issues and part of KPI’s.
An action plan is required to implement these initiatives in the Cluster with regular reporting to the GISP PM on progress
Participate in Group Policies, Standards, Procedures, Guidelines (PSPG) Committee and Group Policy reviews and drive the implementation of Group and information security policies in their Cluster.
Review and respond to the PSPG requests within the agreed time as well as active participation on Information Security Forum
Keep the Businesses updated about the regulation responsibilities as well as advising Business Entities of their obligations under the regulation laws
Identify requirements for additional Information Security policies or standards applicable to the Cluster as well as perform risk assessments that identify gaps in the existing policies.
Adapt policies for the Business and agree adaption with Group where required
Tailor and develop additional policies or supporting standards, applicable to the Cluster only
Ensure that governance processes required to implement PSPGs and Privacy processes are documented and implemented
Document processes and artefacts that evidence the governance process was implemented
Design a document that specifies the controls to be implemented with documented actions, roles and timelines for Information Security policy standards and guidelines
Facilitate process reviews to ensure that policies are implemented
Responsible to address all requests and complaints related to Data Protection Laws made by the Business Cluster data subjects
Work with all relevant regulators, Group Technology, the Group Compliance Office, ISO and the Group Information Officer in relation to any ongoing investigations
Provide input to The Group Technology Cyber Security Committee (GTIGCSC) regarding security awareness campaigns as well as act as the coordinator within the Cluster to Group Security information security and Privacy awareness campaigns
Using Risk Assessments, identify the opportunities or needs for more specific awareness or specialized training actions that are required for the Cluster on privacy and information security
Create and / or facilitate and distribute the creation of specific awareness materials against security, privacy, data and policies.
The Cluster should have an annual awareness training plan that ties in with Compliance and the GTIGCSC Awareness plan
Act as the interface to the Cluster when any decisions must be made about logical access on business applications and business data with the responsibility for review of access to business applications.
This will form part of a monthly progress reporting on the resolution of issues that were identified during the reviews
Assist GTI in performing logical access reviews on centrally managed systems as well as resolve logical access related audit findings for the business applications within the Cluster
Act as the primary contact between the Cluster and Group Technology Cyber Security Incident Response Team (GTISIRT) and report information and cyber security incidents
Manage the resolution (action plan) to address root causes in the Cluster in relation to cyber security as well as to ensure that all key stakeholders in the Cluster are aware of the process to follow when an incident occurs, and how to log the incident within the formal process
Implement the processes to identify information security and privacy risks with determining ownership of such risks and maintaining a risk register
Facilitate the process to analyze and evaluate the risks including getting the Business Owners and Deputy Information Officers involved with agreeing the severity of the impact with the Businesses
Facilitate the process to agree actions, timelines, and resources to mitigate the privacy and security risks
Work with Audit to ensure that privacy and security issues are assigned to the correct owners, track the progress of audit items resolution as well as keep Manco informed on progress of implementation
Direct Pen Tests requests and requests for cloud services to GTIGCSC
Identify trusted information sources and stay up to date with events and threats happening in the information security industry
Evaluate new potential solutions and ensure that security is addressed in Business Cases, requirements, design, development, and stages.
Ensure that the solution integrates with existing processes in the Cluster and broader group
Document security standards and patterns, based on group agreed best practices and provide non-functional security requirements by ensuring security roles, auditing and data protection is monitored and aligned to the relevant policies for secure development practices
Review system design, perform and facilitate application security testing for secure development practices
Manage the resolution of vulnerability management issues that were assigned to owners in the Cluster for Infrastructure Security
Approve system hardening baselines. Facilitate the approval by the Cluster for requests from GTI to accept risks as well as review and approve security standards proposed by GTIGCSC for Infrastructure Security
Minimum requirements :
Degree / Diploma with required certification
6 8 years related experience
Investment and financial industry experience will be an advantage