Manager, IT Services (Information Security & Risk)

Job Description

1. Nature & scope

The objective of the function is to provide appropriate access to and protect the confidentiality and integrity of customer, employee, and business information in compliance with organization policies/standards and business objectives of Afreximbank.

Specifically, the function aims to:

•  Assist the bank in attaining its security objectives through development of policies & procedures

•  Develop and manage reliable, flexible and cost-effective information security programmes within approved budget

•  Maintain a consistent standard of security across the bank’s entire infrastructure.

2. Duties and responsibilities

Risk management:

•  Maintain a risk management framework.

•  Perform risk assessments on resources and projects to be protected.

•  Perform vulnerability assessments to evaluate the effectiveness of existing controls.

•  Report significant changes in risk to management on both a periodic and event-driven basis.

•  Maintain and monitor a risk action plan.

•  Update security standards and guidelines / procedures with results of risk assessments.

Information security governance:

•  Ensure a framework for information security governance and IT control.

•  Update and advise top management on security direction and issues.

•  Review current and potential legal and regulatory issues affecting information security and assess their impact on Afreximbank

•  Avail technical information about security systems and ongoing programs in the information security arena and especially as applied to financial organisations.

•  Provide technical security expertise to IT staff to ensure that the requisite level of security is implemented in all information assets.

Information security policies:

•  Leads the preparation and implementation of necessary information security policies, standards, procedures and guidelines

•  Maintain and review information security policies that support business goals and objectives, and are consistent with applicable laws and regulations.

•  Maintain standards, procedures and guidelines that support information security policies, and ensure business processes and IT infrastructure activities address information security risks.

•  Maintain documentation of all information systems security and change management processes.

Information security:

•  Oversee and direct information security activities in line with the information security operations and programme / framework.

•  Monitor and report on the effectiveness and efficiency of information security controls and the compliance with information security policies.

•  Manage security plans and control techniques covering banking applications and supporting networks.

•  Maintain access rules and exercise adequate control over the administration of user ID’s.

•  Review and monitor change management procedures on all system changes, systems configuration changes and application of security patches to ensure that information security is not compromised.

•  Perform system audit checks including pre-implementation and post-implementation of projects.

•  Monitor and review operations logs and event console activity to identify potential security related events, and investigate all anomalies.

•  Manage system compliance to identified achievement targets for end points (antivirus, patches, threats, etc).

Information security awareness:

•  Lead and facilitate internal training and awareness of IT security policies, controls and best practices, as well as the impact of non-adherence in order to:

•  contribute to the implementation of IT governance;

•  promote accountability by business process owners and other stakeholders in managing information security risks.

Audit and compliance:

•  Ensure periodic IT audits / assessments to confirm that:

•  the rules of use for information systems comply with the enterprise’s information security policies;

•  the administrative procedures for information systems comply with Afreximbank information security policies;

•  change control management principles are adhered to;

•  software inventory licensing is adhered to across all systems;

•  services provided by other organisations, including outsourced providers, are consistent with established information security policies; and

•  non-compliance issues and other variances are resolved in a timely manner.

•  Conduct regular audits on IS facilities to ensure compliance to security policy, standards and guidelines / procedures.

•  Work closely with the Risk department, as well as the Internal Auditor, and respond to all external and internal audit issues raised.

Incident and response management (IT Disaster Recovery)

•  Lead activities relating to contingency planning, business continuity management and IT disaster recovery in conjunction with relevant functions and third parties

•  Review response and recovery plans that include organising, training and equipping the teams.

•  Periodically test the response and recovery plans, where appropriate.

•  Ensure the execution of response and recovery plans, as required.

•  Manage post-event reviews to identify causes and corrective actions.

Any other duties as may be assigned by management.

3. Skills, Knowledge and Attitude

•  Bachelor’s degree in Computer Science, Information Technology, Computer Engineering, Engineering, Management Information Systems or Computer Engineering or other relevant degree from a recognized University, a Master’s degree in a relevant field or a recognised professional qualification in lieu;

•  Minimum of 8 years experience as Information Security and Risk Manager in a modern international ICT environment preferably an international bank;

•  Information security management qualifications such as CISSP or CISM

•  Hands-on team leadership and management experience, ideally coupled with suitable management qualifications

•  Typically a background in technical IT roles such as IT infrastructure, architecture, development or operations, with a clear and abiding interest in information security

•  Sound knowledge and understanding of information processing environments, infrastructure, data communications and operating system administration, and information security principles.

•  Must be highly aware of emerging trends in IT security.

•  Strong knowledge on various banking applications and infrastructure.

•  Experience of ERP Software (Oracle, SAP etc) very desirable

•  Ability to communicate and function in a culturally diverse and change oriented setting;

•  Excellent verbal and written communication skills in English. Knowledge of  the Bank’s other working languages is an added advantage

•  Willingness to travel and to work long hours where required in order to achieve the Bank’s objectives;