1. Nature & scope
The objective of the function is to provide appropriate access to and protect the confidentiality and integrity of customer, employee, and business information in compliance with organization policies/standards and business objectives of Afreximbank.
Specifically, the function aims to:
• Assist the bank in attaining its security objectives through development of policies & procedures
• Develop and manage reliable, flexible and cost-effective information security programmes within approved budget
• Maintain a consistent standard of security across the bank’s entire infrastructure.
2. Duties and responsibilities
Risk management:
• Maintain a risk management framework.
• Perform risk assessments on resources and projects to be protected.
• Perform vulnerability assessments to evaluate the effectiveness of existing controls.
• Report significant changes in risk to management on both a periodic and event-driven basis.
• Maintain and monitor a risk action plan.
• Update security standards and guidelines / procedures with results of risk assessments.
Information security governance:
• Ensure a framework for information security governance and IT control.
• Update and advise top management on security direction and issues.
• Review current and potential legal and regulatory issues affecting information security and assess their impact on Afreximbank
• Avail technical information about security systems and ongoing programs in the information security arena and especially as applied to financial organisations.
• Provide technical security expertise to IT staff to ensure that the requisite level of security is implemented in all information assets.
Information security policies:
• Leads the preparation and implementation of necessary information security policies, standards, procedures and guidelines
• Maintain and review information security policies that support business goals and objectives, and are consistent with applicable laws and regulations.
• Maintain standards, procedures and guidelines that support information security policies, and ensure business processes and IT infrastructure activities address information security risks.
• Maintain documentation of all information systems security and change management processes.
Information security:
• Oversee and direct information security activities in line with the information security operations and programme / framework.
• Monitor and report on the effectiveness and efficiency of information security controls and the compliance with information security policies.
• Manage security plans and control techniques covering banking applications and supporting networks.
• Maintain access rules and exercise adequate control over the administration of user ID’s.
• Review and monitor change management procedures on all system changes, systems configuration changes and application of security patches to ensure that information security is not compromised.
• Perform system audit checks including pre-implementation and post-implementation of projects.
• Monitor and review operations logs and event console activity to identify potential security related events, and investigate all anomalies.
• Manage system compliance to identified achievement targets for end points (antivirus, patches, threats, etc).
Information security awareness:
• Lead and facilitate internal training and awareness of IT security policies, controls and best practices, as well as the impact of non-adherence in order to:
• contribute to the implementation of IT governance;
• promote accountability by business process owners and other stakeholders in managing information security risks.
Audit and compliance:
• Ensure periodic IT audits / assessments to confirm that:
• the rules of use for information systems comply with the enterprise’s information security policies;
• the administrative procedures for information systems comply with Afreximbank information security policies;
• change control management principles are adhered to;
• software inventory licensing is adhered to across all systems;
• services provided by other organisations, including outsourced providers, are consistent with established information security policies; and
• non-compliance issues and other variances are resolved in a timely manner.
• Conduct regular audits on IS facilities to ensure compliance to security policy, standards and guidelines / procedures.
• Work closely with the Risk department, as well as the Internal Auditor, and respond to all external and internal audit issues raised.
Incident and response management (IT Disaster Recovery)
• Lead activities relating to contingency planning, business continuity management and IT disaster recovery in conjunction with relevant functions and third parties
• Review response and recovery plans that include organising, training and equipping the teams.
• Periodically test the response and recovery plans, where appropriate.
• Ensure the execution of response and recovery plans, as required.
• Manage post-event reviews to identify causes and corrective actions.
Any other duties as may be assigned by management.
3. Skills, Knowledge and Attitude
• Bachelor’s degree in Computer Science, Information Technology, Computer Engineering, Engineering, Management Information Systems or Computer Engineering or other relevant degree from a recognized University, a Master’s degree in a relevant field or a recognised professional qualification in lieu;
• Minimum of 8 years experience as Information Security and Risk Manager in a modern international ICT environment preferably an international bank;
• Information security management qualifications such as CISSP or CISM
• Hands-on team leadership and management experience, ideally coupled with suitable management qualifications
• Typically a background in technical IT roles such as IT infrastructure, architecture, development or operations, with a clear and abiding interest in information security
• Sound knowledge and understanding of information processing environments, infrastructure, data communications and operating system administration, and information security principles.
• Must be highly aware of emerging trends in IT security.
• Strong knowledge on various banking applications and infrastructure.
• Experience of ERP Software (Oracle, SAP etc) very desirable
• Ability to communicate and function in a culturally diverse and change oriented setting;
• Excellent verbal and written communication skills in English. Knowledge of the Bank’s other working languages is an added advantage
• Willingness to travel and to work long hours where required in order to achieve the Bank’s objectives;