Job Description

Who are we?
Sanlam Group Technology is responsible for the provision of a digitally enabled technology service as a group COE, drive business and transformation and provide group-wide digital and data architecture. We operate the various technology platforms and shared services, ensure Cyber and Information Security resilience, and act as technology governance and risk orchestrator for technology across Sanlam.
What will you do?
The Business Information Security Officer (BISO) is responsible for identifying and assessing the InformationSecurity requirements of the business. The BISO in conjunction with the Business CIO, is responsible for theestablishment and maintenance of an Information Security Management System (ISMS) and ensure that theappropriate Information Security controls are implemented, maintained and aligned with the GroupGovernance requirements (i.e. Policies, Standards, Procedures and Guidelines and Cyber ResilienceFramework). The BISO is responsible for Security Awareness, Information Risk Management and translatingrisks and the effect thereof to Lines of Business to ensure informed risk assessment. Other responsibilitiesinclude: Participation in Group Information Security bodies and initiatives, logical access management,incident response, vulnerability management, IT audit coordination, ensuring new systems adhere to securitypolicy and Providing management assurance regarding the Cyber and Information Security posture of theBusiness.
What will make you successful in this role?
Establish and manage a Business Information Security Programme, effective participation in GroupInformation Security Programme (GISP) initiatives, Information Security Incident response and Cyber CrisisManagement, Information Security Governance and assurance, Application (including cloud) andInfrastructure Security, and Cybersecurity Education, Training and Awareness.
The BISO will implement processes and controls as agreed with the CISO and the Business CIO. The BISOwill be responsible for quality and cost effectiveness of delivery of information security services in the BU andwill report on these metrics to the GISP.
Outputs

• Regular feedback to Business Manco on Group-wide information security issues.
• The BISO must have an action plan to implement these initiatives in the Business .
• The BISO will report to the GISP Manager on new initiatives, plans and progress which will be discussed at the Cyber Steering Committee.
• Review and improve existing IT and Information Risk assessment, reporting and management practices.
• Up to date and complete Business IT and Information Security Risk register.
• Documented Security risk management action plan. This must include relative priorities of agreed actions; Ownership of the actions; Agree timelines. Priorities will be aligned to Business and GIS Ppriorities.
• Up to date and complete Business Cloud register (if these services are used in the Business).
• Review and respond to Policies, Standards, Procedures and Guidelines and Risk Acceptance requests within the agreed time.
• Document processes and artefacts that prove that the relevant Governance and Assurance processes were implemented as designed.
• Clear and timely communication to management and users regarding planned group awareness campaigns.
• Risk assessment that identifies a requirement for additional awareness or targeted education, training and awareness interventions.
• Maintenance of Business/ Cluster and alignment with the Group annual security education, training and awareness plan.
• Documented Logical Access review schedule for Line of Business Applications, review results, facilitate resolution, progress report on resolution of issues that were identified during the reviews.
• Review and respond to audit findings related to application logical access and other Business specific Information Security findings. Ensure that the ratings are accurate.
• Provide management comment to the audit observations/ findings, that is specific as far as actions anddue dates are concerned.
• Track and follow up on audit finding commitments.
• Report all cyber security incidents, or information security incidents (including privacy related incidents) where the compromise was through technology to the SGT CSIRT.
• Be contactable or provide alternative contact details for Cybersecurity incidents that are identified by the SGT CSIRT.
• Ensure appropriate actions are taken when policy breaches are identified in the Business.
• Assist by facilitating engagement and communication with key stakeholders in the Cluster during amajor incident.
• Provide context on system and process criticality.
• Produce Quarterly Group ISO Forum and GISP reports.
• Provide input into requirements documents - ensure security roles; auditing; data protection (in transit and rest); monitoring etc. are defined in line with approved. Information Security policies and standards.
• Ensure that Security 'gates' are a formal part of the SDLC/ Agile/ relevant solution development methodology.
• Interventions and role-players must be clearly specified.
• Active participation in Sanlam sanctioned industry bodies (e.g. ISF Live, ISACA).
• Timeous escalation of new, high or escalating risks.
• Engage with application owners and Group Cyber Security Centre Operations Team to ensure that system vulnerabilities are addressed that were identified during Penetration tests, Red Team exercises or Vulnerability scans. Ensure that the Business CIO's are aware of risk and actions required.
• Facilitate workshops and risk documentation during Control Self Assessments, or Crown Jewel Risk Assessment processes.

Qualifications

• Grade 12
• Bachelor's degree in Information Technology, Commerce, Science, or Social Science (preferable).
• In force Information Security Certifications such as CISM, CISSP, CCSP, CISA, ISO 27000 Lead Implementer/ Auditor.

Experience and Knowledge

• Experience in policy writing and reviews.
• Experience in agile/ relevant solution development methodologies.
• Familiarity with security practices and standards in development like the security development life cycle (e.g. OWASP).
• Understanding of the technical and application environment of the Cluster/ Business.
• Experience in analysis and control design, strong written and verbal communication skills.
• Knowledge of ISO27k, Cobit, ITIL, CIS and ISF best practices.
• Knowledge of Information Risk Methodologies (ideally ISF IRAM2), threat modelling and Operational Risk management methodologies.
• Knowledge of the key business processes, key stakeholders and have their contact details readily available.
• Understanding of the risk management and governance structures within the Cluster.

Knowledge and Skills
Infiltration testing (hacking)
Risk management
Project Management Tools
Reporting and Administration
Research and trend analysis on IT security leading practice
Personal Attributes
Tech savvy - Contributing through others
Manages complexity - Contributing through others
Optimises work processes - Contributing through others
Communicates effectively - Contributing through others
Build a successful career with us
We're all about building strong, lasting relationships with our employees. We know that you have hopes for your future - your career, your personal development and of achieving great things. We pride ourselves in helping our employees to realise their worth. Through its five business clusters - Sanlam Fintech, Sanlam Life and Savings, Sanlam Investment Group, Sanlam Allianz, Santam, as well as MiWay and the Group Office - the group provides many opportunities for growth and development.
Core Competencies
Cultivates innovation - Contributing through others
Customer focus - Contributing through others
Drives results - Contributing through others
Collaborates - Contributing through others
Being resilient - Contributing through others
Turnaround time
The shortlisting process will only start once the application due date has been reached. The time taken to complete this process will depend on how far you progress and the availability of managers.
Our commitment to transformation
The Sanlam Group is committed to achieving transformation and embraces diversity. This commitment is what drives us to achieve a diverse, inclusive and equitable workplace as we believe that these are key components to ensuring a thriving and sustainable business in South Africa. The Group's Employment Equity plan and targets will be considered as part of the selection process.

Skills Required