Vacancy title:
Manager, Information Security and Data Protection

[Type: FULL_TIME, Industry: Banking, Category: Computer & IT]

Jobs at:
Gulf African Bank

Deadline of this Job:
Friday, July 11 2025

Duty Station:
Kenya | Nairobi | Kenya

Summary
Date Posted: Friday, June 27 2025, Base Salary: Not Disclosed

Similar Jobs in Kenya
Learn more about Gulf African Bank
Gulf African Bank jobs in Kenya

JOB DETAILS:

The Manager, Information Security and Data Protection will be responsible for steering the organization towards full compliance with the provisions of the Kenya Data Protection Act 2019 and any other related data protection/privacy laws. The role holder will support the design and implementation of information security controls (people, process and technology) across the Bank.

The role holder will also support the Bank’s Business Continuity and Disaster Recovery plans ensuring that essential services are available to the business and customers in the event of any unforeseen disruption, within the agreed service levels (RPO and RTO).

Key Responsibilities

• Data Protection and Privacy - facilitate data privacy through transparent data protection policies, procedures and systems. Additionally, the role shall;
• Act as point of contact with any supervisory authorities and internal teams on data processing-related issues
• Identify and evaluate the organization’s data processing activities.
• Provide guidance in conducting Data Protection Impact Assessments (DPIAs).
• Inform and advise the organization (data controller/data processor) and employees involved in data processing of their obligations to comply with Data Protection Act and other applicable regulations.
• Monitor Compliance with the Data Protection Act, as well as internal polices related to various data protection activities, including awareness, training, and internal audits.
• Co-operate with the Kenya Data Commissioner and any other authority on matters relating to data protection.
• Information Security Management System (ISMS) Benchmarking with industry best practice/standards.
• Provide support in the bank’s drive to align to best practices (COBIT, ISO 27001, PCI DSS, CIS etc.), while enshrining these with the relevant policies and practices.
• Regulatory Compliance - keep up-to-date with regulatory guidelines (e.g. CBK prudential guidelines etc.) affecting information technology, information security, risk management and continuously update the organization’s policies, standards and procedures.
• Risk & Audit Management
• Support on planning and conducting risk assessments – covering people, processes and technology as per the bank’s risk management framework.
• Support the bank’s third-party risk management process ensuring compliance with internal policies as well as regulatory requirements.
• Play liaison role for Internal and External audits on matters information security and data protection.
• Track and report on audit and risk findings.
• Manage the Information Security Awareness program across the organization and with external stakeholders, including awareness trainings, tools and reporting.
• Business Continuity and Disaster Recovery Planning.

Support the bank’s Business Continuity and Disaster Recovery Planning through:

• Business Impact Assessments (BIAs).
• BCM Risk Assessment.
• BCM Plans.
• Call Tree Updates & Simulation testing.
• IT DR Planning.
• IT DR Testing.
• BCM Tests - Branches & HQ Units.
• Information Security Assurance Requirements
• System user access management - maintain a robust program for system user access management.
• Vulnerability management – ensure vulnerability scanning and reporting is done as per the bank’s policy.
• Secure configuration – document and maintain standards for hardening systems to comply with global information security best practices.
• Endpoint protection – evaluate and maintain adequate controls to detect and respond to malicious activities.
• Logging and monitoring – provide oversight for the bank’s SOC function.
• Incident response – support the development and testing of applicable incident response playbooks as well as offer guidance to SOC analysts in responding to real incidents as may be identified.
• Business projects assurance - provide information security and data protection compliance assurance to business projects to ensure that any new products, services, channels and other changes introduced meet the information security and data protection compliance thresholds.

Knowledge and experience

• Bachelor’s Degree in Information and Communication Technology (ICT), Information Systems, Computer Science, Information Security or related field required.
• Data Protection training/certification.
• Certified Information Security Manager (CISM) or ISO/IEC 27001 Lead Implementer Certificate.
• Certified Information Systems Auditor (CISA) or ISO/IEC 27001 Lead Auditor Certificate.
• Cybersecurity Technical training/certification. Certification in at least one of these areas: Ethical Hacking, CCNA, API Security, Cloud Security.
• Business Continuity Management certification would be an added advantage.
• Protect Management certification e.g. Prince2 Practitioner would be an added advantage.
• IT Service Governance certification e.g. ITIL would be an added advantage
• At least 5 years’ experience in Information Security or IT Governance, with at least 2 years handling data protection compliance in a managerial role.
• At least 3 years’ experience conducting information security risk assessments or IT governance and assurance/compliance assessments in an organization.
• Experience in the design, implementation and support of cybersecurity solutions e.g. SIEM, DAM, Vulnerability Management tools, Endpoint Protection tools, FIM, NAC, PAM etc.
• In-depth understanding of information security best practice & compliance standards.
• Experience in audit management and reporting.
• Knowledge of relevant CBK Prudential Guidelines and laws applicable to data protection and privacy.
• Prior experience working within a financial service organization will be an added advantage.

Skills and competencies

Technical Competencies:

• Knowledge to develop and manage Data Protection strategy and policy framework.
• Knowledge of the Kenya Data Protection Act (2019) and related laws as well as applicable CBK Prudential Guidelines on data protection and privacy.
• Technical skills to effectively perform IS security management activities/tasks in a manner that consistently achieves established quality standards or benchmarks. This includes management of key processes like vulnerability/patch management, logging and monitoring, access control, endpoint protection, threat detection and response, secure configuration etc.
• Knowledge to develop and manage Business Continuity and Disaster Recovery plans and processes.
• Knowledge and effective application of all relevant banking policies, processes, procedures and guidelines to consistently achieve required compliance standards or benchmarks.
• Knowledge and application of modern IS security management practices and best practice compliance standards in financial services industry, to proactively define and implement security quality improvements in line with technological and product changes.
• Performance management to optimise personal and team productivity.
• Management and regulatory reporting.

Behavioural Competencies:

• Interpersonal skills to effectively communicate with and manage expectations of all team members and other stakeholders who impact performance.
• Self-empowerment to enable development of open communication, teamwork and trust that are needed to support true performance and customer-centric culture.
• Demonstrable integrity and ethical practices.

Work Hours: 8

Experience in Months: 36

Level of Education: bachelor degree

Job application procedure

Interested and qualified? Go to Gulf African Bank on gulfafricanbank.com to apply

All Jobs | QUICK ALERT SUBSCRIPTION