Information Security & Technology Risk

Manager, Information Security and Technology Risk

Role Summary 

Working collaboratively with the Information Security team and third-party service providers to contribute to the protection of the Bank's information assets. The incumbent will assist in identifying and analyzing security anomalies and applying mitigating actions as instructed by management. The Manager will lead the management of information security risks related to the use, processing, storage, and transmission of information and the systems and processes used for those purposes. The incumbent will assist with the embedding of policies, standards and procedures related to the effective management of the Bank's security posture and will assist in the execution of security tests, risk assessments, exercises, simulations, initial investigation of security breaches, user training and other security activities as deemed necessary. The Manager will lead the team of information security professionals by working closely with server and network operations team to ensure stability of the Bank's information security posture and may also be required to liaise with internal and external auditors and assist in audit reviews throughout the year. 

Key Accountabilities Governance and Risk Management:

Manage the completion of IT risk assessments, including information security assessments (ISAs), threat risk assessments (TRAs), vulnerability scans, penetration testing, etc., follows up on open issues, validates completion of agreed mitigating tasks and other related tasks. Review and validate identified vulnerabilities provided by the Analyst. Monitors overall compliance of information security policies and standards. Work with team in closing out raised incidents of non-compliance and / or relevant parties to ensure resolution and learning.

Incident and Problem Management: 

Manages the collection and evaluation of information required to investigate and remediate, as necessary, alerts received from the onsite security tools and third party providers of information security services, e.g., IBM ISS. Immediately informs Director of all critical events identified. Compiles all required information for further investigation of identified incidents. Provides incident response support, including assisting manager with mitigating actions to contain activity. Secrets management, as directed by the manager: Reviews and approves requests for new / modified security profiles; reviews requests to ensure completeness and prepares draft profiles. Manages the maintenance of the security matrices; researching changes to users' authentication with the application owners and confirming the results of the security matrices tests. Reviews and approves processing requests for certificates, tokens and keys; reviews requests to ensure completeness and prepares responses with feedback to team.

General: 

Manages data collected and collates data for the generation of key performance indicators and key risk indicators. Manages team testing of new computers, software, switch hardware and routers before implementation to ensure security posture is maintained. This includes running vulnerability scans and running configuration compliance (hardware / databases / operating systems, etc.), scans and escalating significant issues to be addressed to responsible managers. Reviews and actions security compliance alerts within service level agreement (SLA) to ensure that anomalies / vulnerabilities are escalated / mitigated. Other tasks that may be assigned by Directors. Application and Cloud Security To ensure application code implemented meets the established secure code standards and the cloud deployments are secured, thus mitigating the risk of unauthorised access to the bank and customers' data: Manages all application security testing, coordinates tests with third party providers, and ensures that results are logged within applicable systems. Undertakes cloud security tasks as assigned by the Director, coordinates tests with third party providers, and ensures that results are logged within applicable systems.