We are recruiting for an Information Security Officer (IT/Data/Cyber). Details follow below.
Permanent, Cape Town based. Open to South Africans matching role specifications
The Information Security Officer will implement selected cyber information technology security initiatives with the information technology lines of business to protect their applications and supporting infrastructure from both internal and external threats.
- Degree/Diploma with required certification essential
- Minimum 6 – 8 years related experience
- Investment and financial industry experience will be an advantage
- Ensure that conditions for lawful processing of personal information and measures set out in POPIA are complied with
- Ensure that a manual and compliance framework is developed and updated, monitored, maintained and made available as prescribed by POPIA
- Participation in Group Information Security Programme (GISP) with regular feedback Manco on Group-wide information security issues and part of KPI’s. An action plan is required to implement these initiatives in the business Cluster with regular reporting to the GISP PM on progress
- Participate in the Group (Policies, Standards, Procedures, Guidelines) Committee and Group Policy reviews and drive the implementation of Group and information security policies. Review and respond to the PSPG requests within the agreed time as well as active participation on Information Security Forum
- Keep the Businesses within the business unit updated about the regulation responsibilities as well as advising Business Entities of their obligations under the regulation laws
- Identify requirements for additional Information Security policies or standards applicable to the business cluster as well as perform risk assessments that identify gaps in the existing policies. Adapt policies for Businesses and agree adaption with Group where required.
- Tailor and develop additional policies or supporting standards, applicable to the business only
- Ensure that governance processes required to implement PSPGs and Privacy processes are documented and implemented
- Document processes and artefacts that evidence the governance process was implemented
- Design a document that specifies the controls to be implemented with documented actions, roles and timelines for Information Security policy standards and guidelines
- Facilitate process reviews to ensure that policies are implemented
- Responsible to address all requests and complaints related to Data Protection Laws made by the Business Cluster data subjects
Work with all relevant regulators, Group Technology, the Group Compliance Office, ISO and the Group Information Officer in relation to any ongoing investigations
- Provide input to (Group Technology Cyber Security Committee) GTIGCSC regarding security awareness campaigns as well as act as the coordinator within the business Cluster to Group Security information security and Privacy awareness campaigns
- Using Risk Assessments to identify opportunities or needs for more specific awareness or specialised training actions that are required for the Business Cluster on privacy and information security
- Tailor, create and/or facilitate and distribute the creation of specific awareness materials against security, privacy, data and policies. The business Cluster should have an annual awareness training plan that ties in with Compliance and the GTIGCSC Awareness plan
- Act as the interface to the business Cluster when any decisions must be made about logical access on business applications and business data with the responsibility for review of access to business applications. This will form part of a monthly progress reporting on the resolution of issues that were identified during the reviews
- Assist GTI in performing logical access reviews on centrally managed systems as well as resolve logical access related audit findings for the business applications within the business Cluster
- Act as the primary contact between the business and Group Technology Cyber Security Incident Response Team and report information and cyber security incidents
- Manage the resolution (action plan) to address root causes in the Business Cluster in relation to cyber security as well as to ensure that all key stakeholders in the Business Cluster are aware of the process to follow when an incident occurs, and how to log the incident within the formal process
- Implement the processes to identify information security and privacy risks with determining ownership of such risks and maintaining a risk register
- Facilitate the process to analyse and evaluate the risks including getting the Business Owners and Deputy Information Officers involved with agreeing the severity of the impact with the Businesses
- Facilitate the process to agree actions, timelines and resources to mitigate the privacy and security risks
- Work with audit to ensure that privacy and security issues are assigned to the correct owners, track the progress of audit items resolution as well as keep Manco informed on progress of implementation
- Direct Pen Tests requests and requests for cloud services to GTIGCSC
- Identify trusted information sources and stay up to date with events and threats happening in the information security industry
- Evaluate new potential solutions and ensure that security is addressed in Business Cases, requirements, design, development and stages. Ensure that the solution integrates with existing processes in the Business Cluster and broader group
- Document security standards and patterns, based on group agreed best practises and provide non-functional security requirements by ensuring security roles, auditing and data protection is monitored and aligned to the relevant policies for secure development practices.
Review system design, perform and facilitate application security testing for secure development practices
- Manage the resolution of vulnerability management issues that were assigned to owners in the Business Cluster for Infrastructure Security
- Approve system hardening baselines. Facilitate the approval by the Business Cluster for requests from GTI to accept risks as well as review and approve security standards proposed by GTIGCSC for Infrastructure Security.