Background

The Central Bank of Kenya is a public institution established under Article 231 of the Constitution of Kenya, 2010. The Bank is responsible for formulating monetary policy to achieve and maintain price stability and issuing currency. Pursuant to the CBK Act, the Central Bank promotes financial stability through regulation, supervision and licensing of fin...

Job Purpose

The role holder will be responsible for assessing and evaluating the adequacy and effectiveness of cybersecurity frameworks and strategies employed by licensed Financial Institutions through conducting vulnerability assessments and penetration tests (VAPTs).

Key Duties and Responsibilities

Strategic Responsibilities

• Contributes as appropriate to the overall achievement of the Central Bank’s strategic objectives.

Technical and Operational Responsibilities

• Conduct comprehensive onsite surveillance of licensed Financial Institutions to ensure compliance with the relevant laws, regulations and guidelines. This will include normal inspection engagement activities, including examining the adequacy of IT risk management practices of a Financial Institution in support of the accuracy and reliability of Financial Statements.
• Conduct Vulnerability Assessment and Penetration Tests (VAPTs) to evaluate the security of a Financial Institution’s IT systems, network and applications.
• Document the results of inspection engagements in accordance with the Department’s guidelines using the Audit Management software., e.g. TeamMate.
• Conduct Cybersecurity risk assessments of licensed Financial Institutions, covering internal, external and third-party Cyber risks. This includes risks associated with partnerships with Financial Technology (Fintech) companies on the introduction of new products and services.
• Review Cybersecurity policies and procedures instituted by licensed Financial Institutions to ensure alignment with Prudential, Risk Management Guidelines and Best Practices.
• Review licensed institutions’ annual reports on Cybersecurity audits and vulnerability assessments and follow up on the resolution of highlighted recommendations.
• Analyse reported Cybersecurity incidences and prepare periodic reports.
• Follow up with the supervised Financial Institutions on Cyber incidence response and recovery activities for business continuity.
• Coordinate with other CBK departments, including Cyber Fusion Unit (CFU), Banking and Payment Services (BPS) and/or Information Technology Department (ITD) as required, to ensure that optimal guidance and response activities are undertaken by the affected institutions.
• Monitor reported incidents to identify attack trends and determine suitable mitigation strategies.
• Perform other additional tasks that the team will be involved in, including the preparation of various internal and external documents, e.g. memos, reports, and correspondence letters.
• Any other responsibility as may be assigned by the Line Manager.

Qualifications

• Bachelor’s Degree in Computer Science, Computing and Information Systems, Network Engineering or other IT/security/network-related degrees.
• Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), Offensive Security Certified Professional (OSCP), Cisco Certified Internetwork Expert (CCIE) Security, CSX Practitioner or related penetration testing certification with IT audit experience preferred.
• Certifications such as Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), or Certified Information Systems Security Professional (CISSP) or related discipline.
• Active membership in at least one (1) relevant professional body.

Work Experience

• At least two (2) year post-qualification experience in Information Systems Audit or Cybersecurity review, vulnerability assessments and penetration test and any other relevant area.

• Contributes as appropriate to the overall achievement of the Central Bank’s strategic objectives.
• Conduct comprehensive onsite surveillance of licensed Financial Institutions to ensure compliance with the relevant laws, regulations and guidelines. This will include normal inspection engagement activities, including examining the adequacy of IT risk management practices of a Financial Institution in support of the accuracy and reliability of Financial Statements.
• Conduct Vulnerability Assessment and Penetration Tests (VAPTs) to evaluate the security of a Financial Institution’s IT systems, network and applications.
• Document the results of inspection engagements in accordance with the Department’s guidelines using the Audit Management software., e.g. TeamMate.
• Conduct Cybersecurity risk assessments of licensed Financial Institutions, covering internal, external and third-party Cyber risks. This includes risks associated with partnerships with Financial Technology (Fintech) companies on the introduction of new products and services.
• Review Cybersecurity policies and procedures instituted by licensed Financial Institutions to ensure alignment with Prudential, Risk Management Guidelines and Best Practices.
• Review licensed institutions’ annual reports on Cybersecurity audits and vulnerability assessments and follow up on the resolution of highlighted recommendations.
• Analyse reported Cybersecurity incidences and prepare periodic reports.
• Follow up with the supervised Financial Institutions on Cyber incidence response and recovery activities for business continuity.
• Coordinate with other CBK departments, including Cyber Fusion Unit (CFU), Banking and Payment Services (BPS) and/or Information Technology Department (ITD) as required, to ensure that optimal guidance and response activities are undertaken by the affected institutions.
• Monitor reported incidents to identify attack trends and determine suitable mitigation strategies.
• Perform other additional tasks that the team will be involved in, including the preparation of various internal and external documents, e.g. memos, reports, and correspondence letters.
• Any other responsibility as may be assigned by the Line Manager.

• Vulnerability Assessment
• Penetration Testing
• Cybersecurity Risk Assessment
• IT Risk Management
• Cybersecurity Audits
• Incident Response
• Business Continuity
• Policy Review
• Report Preparation
• TeamMate Software (preferred)

• Bachelor’s Degree in Computer Science, Computing and Information Systems, Network Engineering or other IT/security/network-related degrees.
• Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), Offensive Security Certified Professional (OSCP), Cisco Certified Internetwork Expert (CCIE) Security, CSX Practitioner or related penetration testing certification with IT audit experience preferred.
• Certifications such as Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), or Certified Information Systems Security Professional (CISSP) or related discipline.
• Active membership in at least one (1) relevant professional body.