Job Description

Responsibilities:

• The Business Information Security Officer (BISO) is responsible for identifying and assessing the cyber and information security requirements of the business.
• The BISO (with endorsement from the Head of IT Operations is responsible for the establishment and maintenance of an Information Security Management System (ISMS) and ensure that the appropriate cyber and information security controls are implemented, maintained, and aligned with the Group governance requirements (such as PSPGs and Group Cyber Resilience Framework).

Key Outcomes
The following outcomes will be expected to be achieved by the BISO:

• Establish and manage a Glacier Information Security Programme.
• Implement cybersecurity awareness campaigns.
• Participate in Group Information Security Programme (GISP) initiatives.
• Information Security Governance and assurance.
• Document processes and artefacts that prove that the relevant governance and assurance processes were implemented as designed.
• Information Security Incident response and Cyber Crisis Management.
• Application (including cloud) and Infrastructure Security, and Cybersecurity Education, Training and Awareness.
• The BISO will implement processes and controls as agreed with the Group CISO, GISP and the Business CIO.
• The BISO will be responsible for quality and cost effectiveness of delivery of information security services in the BU and will report on these metrics to the GISP.
• Provide regular feedback to Manco on Group-wide information security issues.
• The BISO will report to the GISP Manager on new initiatives, plans and progress which will be discussed at the Group Cyber Sub-Committee.
• Review and improve existing IT and Information Risk assessment, reporting and management practices.
• Update the IT and Information Security Risk register.
• Document security risk management action plan. This must include relative priorities of agreed actions; ownership of the actions; agree timelines. Priorities will be aligned to GISP priorities. The BISO must have an action plan to implement these initiatives.
• Up to date and complete the cloud technology outsourcing and third-party register (where applicable)
• Review and respond to PSPG and risk acceptance requests within the agreed time.
• Clear and timely communication to management and users regarding planned group awareness campaigns. Risk assessment that identifies a requirement for additional awareness or targeted education, training, and awareness interventions.
• Alignment with the Group annual security education, training and awareness plan.
• Document logical access review schedule for Line of Business Applications, review results, facilitate resolution, progress report on resolution of issues that were identified during the reviews.
• Review and respond to all security related audit findings.
• Report all cyber security incidents, or information security incidents (including privacy related incidents) where the compromise was through technology to the SGT CSIRT.
• Be a primary contact for cybersecurity incidents that are identified by the SGT CSIRT.
• Ensure appropriate actions are taken when policy breaches are identified in the BU.
• Assist by facilitating engagement and communication with key stakeholders in the Cluster during a major incident.
• Produce Quarterly Group ISO Forum and GISP reports.
• Ensure that security 'gates' are a formal part of the SDLC/ Agile/ relevant solution development methodology.
• Interventions and role-players must be clearly specified.
• Active participation in our clients sanctioned industry bodies (such as ISF Live, ISACA, FS-ISAC)
• Timeous escalation of new, high, or escalating cybersecurity risks.
• Engage with application owners and GCSC Operations Team to ensure that system vulnerabilities are addressed that were identified during penetration tests, Red Team exercises or vulnerability scans. Ensure that the CIO is aware of risks and actions required.
• Facilitate workshops and risk documentation during Control Self Assessments, or Crown Jewel Risk Assessment processes.
• Find & provide root cause analysis and implement permanent and/or long-term fixes for cyber related incidents.
• Strong understanding of integration between Workstations and Network/Servers.
• Installation and monitoring of devices using automated tools (such as SCCM) & scripting.
• Responsible for maintaining a configuration register of assets and licenses.

Qualifications and Experience:

• Grade 12.
• Bachelors degree in information technology, commerce, science, or social science.
• Minimum 5 years relevant experience.
• In force cyber and information security certifications (such as CISM, CISSP, CCSP, CISA, ISO 27000 Lead Implementer/ Auditor). If the candidate is not in possession of such certifications, evidence is required that the candidate is studying towards it.

Competencies

• High Stress Tolerance.
• Building and maintaining relationships.
• Teamwork and ability to function independently.
• Facilitation Skills.
• Attention to detail.
• Planning and organizing.
• Ability to work independently.

Attributes:

• Honesty, integrity, and respect.
• Positive enthusiastic can-do attitude.
• Ability to work under pressure and long hours.
• Ability to co-operate and thrive both within an independent and team environment.

Qualification and Experience:

• Degree with 5 to 6 years related experience.

Knowledge and Skills:

• Project Management
• Reporting and Administration
• Business Requirements Definition
• Compliance Monitoring
• Emerging Technologies

Personal Attributes:

• Interpersonal savvy - Contributing through others.

ExecutivePlacements.com