Job vacancy VP, Information Security

The selected candidate will assist the Country CRO to build the newly established unit and expected to harness a strong Risk governance framework covering KSA.

The candidate is responsible for the development, implementation, management and assurance of the group-wide Information security & governance in order to facilitate secure and effective banking operations while mitigating risks and ensuring compliance.

In doing this, he/she will work closely with the Group Risk Management units to ensure the Group methodologies, policies, procedures are established in KSA. Additionally, the potential candidate will build, produce and regularly update the risk report suite to ensure consistency and compliance with the bank’s risk tolerance.

Key Accountabilities

Governance

• In conjunction with, and as required by the Country Chief Risk Officer, manage the Information Security & Business Continuity framework for Country and Group Risk & Compliance Committee.
• Provide regular reports to Country CRO on location’s risk profile with mitigation plans. Assist the Country CRO & Committees in the taking appropriate decisions to manage the risk profile within the set appetite.

Strategy Development and Implementation

• Assist the Country Chief Risk Officer in formulation, implementation and delivery of the Franchise in KSA’s risk strategy in line with the vision, mission, values and priorities.
• Maintain, execute and continuously improve the Franchise in KSA’s risk management strategy, frameworks and tolerances to assess and mitigate the risk and to ensure the region operates within its pre-defined risk appetite, aligned to the group’s risk & business strategy. Budgeting and Financial Performance
• Manage the preparation of the department budget and monitor financial & risk performance versus the budget while ensuring all departmental activities are conducted in line with the approved guidelines. Policies, Systems, Processes & Procedures
• Assist in development and effective implementation of risk policies (Information Security, Business Continuity), procedures and controls covering all areas of assigned the Franchise in KSA so that all relevant procedural/legislative requirements fulfilled while delivering a quality, cost-effective service.
• Contribute in development of a risk culture within the assigned the Franchise in KSA to drive heightened awareness and understanding of prudent risk management practices; work with other risk teams on technical aspects so that key stakeholders are equipped with the necessary knowledge and capability to take risk-based decisions on behalf of the Group.

Risk Management Framework

• Assist Country CRO in implementation of risk management systems, policies, procedures and reports for Information Security & Business Continuity in partnership with Group Risk heads.
• Assist in the development, implementation and maintenance of Information Security (IS) plans, include programs, systems and standards relating to information security in order to mitigate risk, and ensure the full protection and integrity of concerned assets, includes institutional memory, and data.
• Develop a comprehensive Risk Review mechanism for information security policies & procedures to assure consistency, comprehensiveness, and adequacy to enable an effective information security risk management process, and the same are adjusted as appropriate to reflect changes in the risk profile and market dynamics.
• Develop & maintain security assessment methodologies for IT infrastructure changes in line with the bank’s information security policy, PCI DSS requirements, industry standards and other regulatory requirements.

Information Risk Assessment and Management

• Manage the data classification and risk categorization of information assets in coordination with respective business/information owners, in order to enable the identification, analysis and mitigation of risk in information technology and business systems.
• Conduct risk assessments and penetration tests to identify current and future security vulnerabilities and flaws in information systems, determine the management-approved level of risk, and work closely with relevant teams to prepare and maintain action plans to mitigate issues/IS risks.
• Identify current and potential legal and regulatory issues affecting information security and monitor the assessment of their impact on the organization, in order to recommend suitable action plans and enable informed decision making.
• Design and ensure implementation of governance structure for information security to manage conformity and compliancy to security KSA-wide.

Security Assurance

• Manage the monitoring of information security violations, review and provide recommendations on corrective action in order to ensure that adequate information security in compliance with the necessary standards guidelines and policies.
• Manage the testing of security architecture to evaluate the security strengths and detect possible threats to IT systems.
• Manage the review of: (a) user access profiles of critical financial systems, (b) system(s) log activity, and user activity related to access authorization and utilization, (c) forensic analysis, cyber-crime investigation, incident emergency response and investigations, ensuring adherence to policies, guidelines and effective management towards achieving the objectives of IS across the Franchise in KSA.

Business Continuity Framework, Planning & Governance

• Manage application of a Business Continuity Management Framework, incorporating policies, strategies, and programs in compliance with best standards practice and NCEMA to increase the the Franchise in KSA’s ability to preventing, preparing for, responding to, managing and recovering from the impacts of a business disruption event.
• Establish business continuity plans commensurate with the nature, size and complexity of operations, taking into consideration different types of likely or plausible risks/scenarios to which the group may be vulnerable in order to provide resilience against such risks/scenarios.
• Ensure that BCM plans are defined, rigorously tested, and implemented across all departments (including call tree testing, Crisis Management plan simulation, planning of premises consolidated and/or integrated exercises), in response to threats and hazards identified through risk management processes.
• Monitor and review BCM plans to ensure strategies remain consistent with current operations, risks and threats, resiliency requirements, response, and recovery priorities, and that they incorporate lessons from testing and activation.
• Design, develop and implement the BC corporate governance model to develop effective guidelines for conducting the business continuity process.

Incident/Disaster Management

• Maintain the operational effectiveness and readiness of the disaster recovery site through conducting regular inspections and ensuring that all information and data can be stored safely, so that the integrity and confidentiality of the Franchise in KSA’s memory is fully protected and easily restored in the event of disaster or incident.
• Ensure that the recovery capabilities meet the business requirements through conducting regular testing in coordination with IT and analyzing the future business needs, so that the decisions related to the design and procurement of the new recovery infrastructure are facilitated by key inputs and facts.
• Ensure maintaining a log of incidents and review reports before presenting to the top management to ensure they are comprehensive and accurate in their key findings and provide value added recommendations for improvements of the business continuity plans.

Data Privacy

• Develop data privacy strategies.
• Act as the primary point of contact within KSA for members of staff, regulators, and any relevant public bodies on issues related to data protection –when needed.
• Ensure the policies and procedures are in accordance with Personal Data Privacy Law (PDPL) and codes of practice.
• Evaluate the existing data privacy controls and identify areas of none or partial compliance and rectify any issues in consultation with key stakeholders.
• Inform and advise the Data Controller or Data Processor on all matters related to data privacy.
• Promote a culture of data privacy compliance across all units of the organization.

Change Management

• Participate in management of change through continuous improvement of functional systems, processes and practices considering global standards and changes in the business environment which demand proactive action plans

Relationship Management

• Maintain effective business relationships with all relevant external/internal entities (such as government authorities, other financial institutions, key stakeholders etc.) and all sections with the highest standards of business ethics, whilst promptly attending to all critical issues in-order to ensure the services required by the organisation are delivered in the most effective manner.

Minimum Qualification

• Bachelor’s degree in IT or related discipline.
• Master’s degree in Business Administration, or a related discipline is preferred.
• Certification in related disciplines is preferred.

Minimum Experience

• +10 years’ relevant experience in the banking sector with at least 4 years in similar positions of progressively increasing managerial responsibilities in the Information Security & Business Continuity management function.