The Information Security Officer (ISO) is responsible for the governance of all aspects of the physical and logical security of a banks information assets and ensure confidentiality, integrity, security and availability of the information technology environment
Develops and manages an information security programme:
Designs and leads an enterprise wide information security programme to identify, assess and mitigate risks.
Writes, implements and maintains security policies and procedures.
Establishes an effective reporting and escalation process.
Appraises and guides the executive team on all aspects of information security, including trends, threats and vulnerabilities.
Leads Solution Development and Maintenance:
Leads / oversees and works with Service Providers on system upgrade strategies, leads the architecture, design, implementation, and maintenance of complex solutions.
Identifies, screen and evaluate new solution opportunities to address business requirements.
Works with leadership and service providers to ensure timely introduction and withdrawal of project and products in line with company business plan and strategy.
Implements the Information Security Strategy:
Develops and implements the information security strategy and governance framework which is consistent with Group information security objectives and industry best practices.
Proactively works with IT management to implement and integrate information security procedures, standards and controls into the day to day operations.
Manages Information Security Technologies:
Manages Information Security technologies including identity and access management, penetration testing, identity theft, denial of service (DoS) attacks, hacking techniques, access list management, user authentication, data encryption, vulnerability scanning, intrusion detection, email scanning, web content filtering, virus management and security testing.
Keeps abreast of developments in the areas of legal, regulatory, corporate requirements, technological developments and best practices in the information security field.
Work closely with auditors, and drive the necessary remediation of information security findings
Assist in identifying and mitigating information security related risks
Conduct risk assessments on third parties to ensure compliance of information security standards
Application Security - Automation:
Define the information security requirements for SDLC
Facilitate information security code reviews
Drive security automation into the DevOps processes
Drive the vulnerability and patch management programme
Coordinate technical information security assessments and penetration tests, as well as, drive remediation
Manage the information security products and support vendors
Review, provide input, and approve solution designs from an information security perspective
Define and drive security architecture
Education (formal qualification required):
National certificate / Grade 12
BCom Computer Science, Informatics or Auditing or an Engineering degree
Ideal but not essential:
B degree plus certificates in OSCP, CISM, CISA
Postgraduate Diploma / Advanced Diploma / Degree in IT will be advantageous.
Five to eight years' experience in Information Technology
Five years' experience in enterprise information security architecture related roles and experience in technical analysis, vulnerability scanning and information security assessments
Five+ years' experience Knowledge of BS27000,COBIT,SDLC methodologies and ITIL
Three to five years' experience in leading and managing information security discipline three to five years
Five years' experience in establishment and maintenance of information security architecture
Five years' experience Technical implementation of the required information security controls