ICT Risk and Data Protection Analyst at Sidian Bank

JOB PURPOSE

The role holder will assist in providing continuous independent assurance of the Bank’s Information Communication Technology (ICT) Risk and Data Privacy framework as regards to Governance, IT Risk Assessments, Risk Response & Reporting, Information Security, Privacy Architecture and Data Lifecycles of Bank’s IT assets, projects and processes. The role holder will also assist in ensuring that ICT and Data Privacy risks are managed in compliance to the Bank’s policies, laws, regulatory guidelines and applicable standards.

KEY RESPONSIBILITIES

• Governance and Compliance
• IT Risk and Data Impact Assessment
• Business Continuity and Disaster Recovery Coordination
• Monitoring and Review of Systems
• Incidences Management
• Reporting
• Risk & Compliance

MAIN ACTIVITIES
Governance and Compliance:

• Establishing the Data Protection Regulation Governance, regulatory framework and implementation plan which shall include development of the various required statements and policies.
• Driving implementation of essential elements of the Data Protection Regulation, such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing, and notification and communication of data breaches.
• Regularly training of all internal stakeholders involved in data collection/processing, updating the training as well as conducting specific trainings for specific processing requirements.
• Maintaining data protection policies and procedures.

IT Risk and Data Impact Assessment:

• Ensuring Record of Processing Activities (ROPA) are undertaken in line with data privacy laws.
  Creating an Information Base: Guide and support on the creation of an information base on Data Protection and any other elements which may be helpful to the controllers and the staff of the organization.
• Data Protection Regulations: Developing together with the business and support functions, carrying out impact assessments, data protection policies, guidelines, and processes to ensure that compliance is consistent and in line with the Data Protection Regulation.
• Support the business in preparation of digital and other privacy statements as may be required for the institutions and supporting functions and ensure processes are put in place for the institutions/support functions to collect consents from the relevant data subjects and partners, have relevant privacy statements provided on all company forms and/or literature, websites and other communication or data collection mediums.
• Keep up to date with the latest security and technology developments, research/ evaluate emerging security threats and ways to manage them.
• Networking with other Data Protection Officers to share information and keep up with information and emerging trends around data protection as well as following up on change in laws and make recommendations on changes required.

Business Continuity and Disaster Recovery Coordination:

• Ensure the roles and responsibilities of managing cyber and Data Privacy risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff.
• Creating and maintaining a register on comprehensive records of all data processing activities conducted by the company, including the purposes of all processing activities, which must be made public on request.
• Disaster recovery coordination. Maintain the IT Disaster Recovery Plan including annual reviews.
• Oversee the regular testing of the plan and update for major changes in hardware, applications, business and regulatory requirements accordingly.

Monitoring and Review of Systems:

• Monitoring performance and adherence to the requirements of the regulation while providing advice on the data
  protection impact assessment.
• Conducting audits to ensure compliance, accountability and address potential issues proactively.
• Monitor security events received from the Bank’s security tools on applicable perimeter devices, systems, databases and servers for potential attacks, suspicious or anomalous activities.
• Strengthen the monitoring of system transactions integrity and events by review of the System audit logs and Escalation of noted anomalies.
• Analyze and document business process objectives and design to identify required information systems controls.

Incidences Management:

• Serving as the assistant to the Data Protection Officer and point of contact between the Companies, the Data Commissioner and other Regulatory Authorities and co-operating with them during inspections by answering any complaints or queries raised with regards to Data Protection.
• Handling queries or complaints internally or externally regarding data confidentiality and use.
• Escalate and report on incidents, potential gaps or risks as observed during monitoring activities.

Document the security breaches and measure the damage caused.

Reporting

• Reporting to the Supervisor:
• Providing updates on the Data Protection compliance programme to the Board and Risk Management Committee
• Providing status updates to the Head of Risk and Senior Management on a regular basis (at least monthly) and drawing immediate attention to any failure to comply with the applicable data protection requirement.
• Share a monthly report on privilege access management and bank wide compliance to the user access rights.
• Quarterly reporting to the board on the exceptions noted in user access management likely to impact the Confidentiality, Integrity and Availability of information
• Any other duties as deemed necessary by the supervisor.

ACADEMIC BACKGROUND

• Bachelor’s degree in Information Technology, Computer science, business, or related fields
• Strong knowledge of Information Security related frameworks/ Regulations such as, ISO 27001, NIST 800-53

WORK EXPERIENCE

• At least 3 years of Banking or Information Technology Experience
• Knowledgeable in IT operations, IT Risk, IT Audit
• Knowledge on Data Protection laws & General Data Protection Regulations (GDPR)

SKILLS & COMPETENCIES

• Excellent interpersonal & Communication Skills
• Working in Teams
• Excellent analytical skills
• Problem solving skills
• Excellent knowledge of security tools
• Report writing skills
• Ability to operate within 24HR shifts as and when required.

PROFESSIONAL CERTIFICATION

• Professional qualification such as Certified Information Systems Security Professional CISA, Certified Ethical Hacker (CEH), Certified Information Systems Security Professional CISM or Certified Information Systems Security Professional (CISSP), Certified Data Privacy Solutions Engineer (CDPSE) and other certification that is relevant.