Information & Information Security Officer

Jan 29, 2021

Objective

The Information Security Officer will implement selected cyber information technology security initiatives with the information technology lines of business to protect their applications and supporting infrastructure from both internal and external threats. Assists in the management of risks, ensures compliance with regulatory requirements regarding information technology security. Ensures the appropriate use of assets and educates employees about their information technology security responsibilities. Assesses and records risk findings and recommends appropriate mitigating controls and plays an enablement role to support IT with risk remediation efforts.

Minimum requirements

  • Degree/Diploma with required certification
  • 6 – 8 years related experience
  • Investment and financial industry experience will be an advantage

Key responsibilities

  • Ensure that conditions for lawful processing of personal information and measures set out in POPIA are complied with;
  • Ensure that a manual and compliance framework is developed and updated, monitored, maintained and made available as prescribed by POPIA;
  • Participation in Group Information Security Programme with regular feedback to the Cluster Manco on Group-wide information security issues and part of KPI’s. An action plan is required to implement these initiatives in the Cluster with regular reporting to the PM on progress;
  • Participate in the Group (Policies, Standards, Procedures, Guidelines) Committee and Group Policy reviews and drive the implementation of Group and information security policies in the Cluster. Review and respond to the PSPG requests within the agreed time as well as active participation on Information Security Forum
  • Keep the Businesses within the Cluster updated about the regulation responsibilities as well as advising Business Entities of their obligations under the regulation laws;
  • Identify requirements for additional Information Security policies or standards applicable to the Cluster as well as perform risk assessments that identifies gaps in the existing policies. Adapt policies for the Businesses within the Group and agree adaption with Group where required.
  • Tailor and develop additional policies or supporting standards, applicable to the Cluster only;
  • Ensure that governance processes required to implement PSPGs and Privacy processes are documented and implemented;
  • Document processes and artefacts that evidence the governance process was implemented;
  • Design a document that specifies the controls to be implemented with documented actions, roles and timelines for Information Security policy standards and guidelines;
  • Facilitate process reviews to ensure that policies are implemented;
  • Responsible to address all requests and complaints related to Data Protection Laws made by the Business Cluster data subjects;
  • Work with all relevant regulators, Group Technology, the Group Compliance Office, ISO and the Group Information Officer in relation to any ongoing investigations;
  • Provide input to Group Technology Cyber Security Committee regarding security awareness campaigns as well as act as the co-ordinator within the Cluster to Group Security information security and Privacy awareness campaigns;
  • Using Risk Assessments, identify the opportunities or needs for more specific awareness or specialised training actions that are required for SIG Cluster on privacy and information security;
  • Tailor, create and/or facilitate and distribute the creation of specific awareness materials against security, privacy, data and policies. The Cluster should have an annual awareness training plan that ties in with Compliance and the Group Awareness plan;
  • Act as the interface to the Cluster when any decisions must be made about logical access on business applications and business data with the responsibility for review of access to business applications. This will form part of a monthly progress reporting on the resolution of issues that were identified during the reviews;
  • Assist Group in performing logical access reviews on centrally managed systems as well as resolve logical access related audit findings for the business applications within the Cluster;
  • Act as the primary contact between the Cluster and the Group Technology Cyber Security Incident Response Team and report information and cyber security incidents;
  • Manage the resolution (action plan) to address root causes in the Cluster in relation to cyber security as well as to ensure that all key stakeholders in the Cluster are aware of the process to follow when an incident occurs, and how to log the incident within the formal process;
  • Implement the processes to identify information security and privacy risks with determining ownership of such risks and maintaining a risk register;
  • Facilitate the process to analyse and evaluate the risks including getting the Business Owners and Deputy Information Officers involved with agreeing the severity of the impact with the Businesses;
  • Facilitate the process to agree actions, timelines and resources to mitigate the privacy and security risks;
  • Work with audit to ensure that privacy and security issues are assigned to the correct owners, track the progress of audit items resolution as well as keep Manco informed on progress of implementation;
  • Direct Pen Tests requests and requests for cloud services;
  • Identify trusted information sources and stay up to date with events and threats happening in the information security industry;
  • Evaluate new potential solutions and ensure that security is addressed in Business Cases, requirements, design, development and stages. Ensure that the solution integrates with existing processes in the Cluster and broader group;
  • Document security standards and patterns, based on group agreed best practises and provide non-functional security requirements by ensuring security roles, auditing and data protection is monitored and aligned to the relevant policies for secure development practices
  • Review system design, perform and facilitate application security testing for secure development practices;
  • Manage the resolution of vulnerability management issues that were assigned to owners in the Cluster for Infrastructure Security;
  • Approve system hardening baselines. Facilitate the approval by the Cluster for requests from Group to accept risks as well as review and approve security standards proposed by Group for Infrastructure Security.

Please note: Only candidates being considered will be contacted

Desired Skills:

  • Information & Information Security Officer

Learn more/Apply for this position