Information Technology Security Officer

Information Technology: systems development, business analysis, architecture, project management, data warehousing, infrastructure, maintenance and production

Job Purpose

To implement a comprehensive Information Technology security program with the Information Technology lines of business to protect their applications and supporting infrastructure from both internal and external threats, manage threats and incidents when these materialise, ensure compliance with regulatory requirements regarding.

Information Technology security, ensure the appropriate use of bank assets and educate employees about their Information Technology security responsibilities.

Key Responsibilities/Accountabilities

Work with IT partners to provide IT Security Advisory services and guidance:

• Develop and maintain relationships with key stakeholders to further embed the partnership that exists between IT Security, IT and the business.
• Research and maintain knowledge of the IT threat landscape, security trends, regulatory requirements, new technologies and best practices in order to provide sensible and pragmatic security advice to stakeholders.
• Provide ad-hoc consulting and engagement with various business units on secure, cost effective and practical control implementations across various platforms and/or systems.
• Facilitate the adoption of IT Security solutions e.g. privilege user management or access management processes and services e.g. IT Security engineering and penetration tests across the application and infrastructure landscape.
• Provide adequate IT Security input into all features and other technology solutions; this includes the requirements for the evaluation, selection, installation, configuration and maintenance of hardware, applications and software.
• Develop an effective line of business IT Security strategy that supports and enables business strategy.
• Advise IT business partners on regulatory and/or legal requirements as it relates to securing of data as well as assist with the implementation of the controls to support these requirements.
• Establish relevant metrics and management information to facilitate reporting and decision making.
• Facilitate the reduction in the number and impact of IT Security incidents.
• Act as a single point of contact for IT security risks, incidents and controls within the business units.
• Lobby with the BIO/CIO for the prioritization of the security control backlog.

Identify, Assess and remediate Technology and IT Security Risks:

• Develop a security assessment schedule across the respective lines of business / business units.
• Conduct reviews of applications, systems, underlying infrastructure and related processes as per the schedule.
• Establish and maintain risk profiles for business units by facilitating the implementation and ongoing management of general control reviews.
• Develop a cost-conscious risk treatment plan based on identified risks, threats, vulnerabilities, audit findings, policies and regulatory requirements.
• Collaborate threat intelligence, cybersecurity, security engineering and other risk functions to develop and maintain a holistic security strategy and remediation plans.
• Collaborate with feature teams, product owners, architecture, IT, business, vendors and other stakeholders to investigate risk remediation controls.
• Assist in documenting and tracking security findings into a formal risk register. Provide the necessary information to support any deviation to IT Security policies and standards.
• Facilitate the use of secure architectural patterns and work with the security engineers to translate these patterns into line of business secure builds.
• Embed the use of self-service and automated security testing into the DevOps/Software Development Lifecycle.
• Facilitate continuous technical system reviews by working with the Penetration Test Team and assist business with interpretation and implementation of required controls.
• Recommend the implementation of effective controls to support defined security policies and standards. Co-ordinate and track the implementation of remediation plans.
• Establish relevant metrics and produce risk reports for stakeholders highlighting key risks, threats, incidents progress and status to assist in decision making.
• Participate in IT Security incident response planning and investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary.

Drive appropriate Logical Access Management practices in IT:

• Establish, maintain and improve logical access management practices for all users (Generic, User, Service and Privileged) by the application of appropriate manual and/or automated processes – in order to provide assurance that the right people have the right level of access to the bank’s information.
• Implement and validate all aspects of the access management lifecycle, as prescribed by the appropriate policies and standards.
• Implement additional processes, such as Segregation of Duties, Password Safes and Audit trails, to address the risk posed by privileged IT users.
• The success of these activities must translate into the reduction of logical access audit findings and security breaches of a logical access nature, by embedded logical access practices into Business processes, and by a positive trend of various metrics being used to track maturity and control failures.

Create culture and awareness of IT Security good practices:

• Develop an awareness and training plan for the line of business that is fit for purpose, aligned with strategy and considers a range of risk data points e.g. audit findings, risk and control self-assessments, IT Security risk assessments, emerging threats and risks, and incidents.
• Create awareness to the IT Executives and broader IT community on the back of new threat and risk intelligence. Proactively create awareness on recurring risk themes.
• Implement the awareness plan through various delivery mediums.
• Measure the effectiveness of the awareness plan through sampling, surveys, tests, attendance registers or equivalent.

Assist with implementation of IT Security Policies, Standards and Guidelines:

• Participate in the development of new and the annual review of existing IT Security Policies, Standards and Guidelines by providing input to enhance the quality and completeness of these documents.
• Communicate the requirements for compliance to the IT Security Policies, Standards and Guidelines to the relevant parties within IT.
• Identify areas of non-compliance to IT Security Policies and Standards within IT.
• Alert the responsible parties in IT where there is non-compliance to IT Security Policies and Standards and work with them to identify and recommend practical and feasible remediation plans and technical solutions.
• Report on the level of compliance and progress towards achieving compliance to IT Security Policies, Standards and Guidelines to the IT business partners.

Minimum Qualification and Experience

Qualifications:

• First Completed Degree
• Information Security related Certification (CISSP, CISM, CRISC, CISA)
• Degree in Computer Science

Experience:

• The Standard Bank Group has implemented a Vaccination Policy for all roles which require the incumbent to work from the Standard Bank premises on a full-time or intermittent basis. Full vaccination against COVID-19 is therefore an inherent requirement of this role.
• 7-10 – Prior industry experience in the corporate (preference Financial Institution) environment in an IT Security role.
• 7-10 – Experience in directly assessing and communicating Risk Exposures and developing risk mitigation plans.
• 3-4 – Experience in managing and coaching people
• 3-4 – Experience in coordinating large initiatives across multiple areas.
• 5-7 – Experience in working with international and cross functional matrix environments.
• Experience in engaging with a broad spectrum of stakeholders including senior executives.

PLEASE NOTE: All our recruitment and selection processes comply with applicable local laws and regulations. The Standard Bank Group has a Vaccination Policy which requires the incumbent to be fully vaccinated against COVID-19 in order to work from the Standard Bank premises on a full-time or intermittent basis. We will never ask for money or any form of payment as part of our recruitment process. If you experience this, please contact our Fraudline on +27 800222050 or forward to [email protected]