BANK OF AFRICA - KENYA LIMITED (BOA-KENYA) is a commercial bank providing banking services to corporate, SME and retail clientele.

Responsibilities and Accountabilities.

• Develop and implement the Bank’s information security strategy, framework and policies, and liaise with the Head of Enterprise Risk to ensure full alignment with the Banks Enterprise Risk Management Framework and Governance, business goals and group requirements.
• Drive and ensure the full implementation of all technology control systems and continuously monitor against business requirements, identified and reported incidences and good practices to ensure that they remain relevant and robust.
• Design and put in place an appropriate information security architecture and coordinate reviews to assess data losses and breaches and prioritize solutions and actions to minimize and mitigate business threats and risks.
• Develop and implement information security risk assessments and penetration testing schedules and procedures and ensure these are undertaken as required to identify and remediate vulnerabilities.
• Lead in the implementation and continuous monitoring of systems, applications, platforms etc. to facilitate effective incident response management and ensure timely containment and recovery.
• Contribute to the development and introduction of new products, services, channels and IT systems by reviewing their information system/ technology requirements and processes to provide assurance of compliance with all stipulated security compliance thresholds.
• Review and approve key infrastructure change requests and ensure all requests meet and approvals are within the minimum risk and compliance thresholds.
• Establish and implement an information security business continuity plan and processes and continuously run tests to ensure it is fit for purpose, identify gaps and follow up on agreed actions to avoid negative impacts on the Bank’s processes and operations and to ensure continuity in the event of a disruption.
• Develop and implement security awareness sessions for both employees and customers to enhance the overall security culture.
• Ensure that all regulations, group requirements and best governance practices are embedded in the Bank’s information system and cyber security practices to ensure compliance and adherence to ISO 27001, PCI DSS, CBK prudential guidelines, Data Protection Regulation regulations etc.
• Liaise and collaborate with all risk, compliance and audit teams to ensure all necessary assessments and audits are carried out on time, relevant information is provided and proactively implement recommendations and agreed actions.
• Manage the security risks associated with third-party information services/ technology vendors and partners by undertaking risk assessments, identifying potential risks and gaps, ensuring all SLAs are met and by providing relevant guidance, when required, on controls or mitigants to eliminate, minimize and or manage
• Prepare and submit information security risk reports including monthly and quarterly group, management and Board reports.

Minimum Requirement; Work Experience, Academic and Professional Qualifications.

• Bachelor’s degree in information systems, Computer Science, Information Security or any related field from a recognized and accredited institution.
• At least eight (8) years’ experience in information security, risk management and governance with at least three (3) years conducting compliance assessments, implementing IT controls, cyber security management etc.
• Certified in information security knowledge areas, such as an ISACA related certification e.g. CISM/ CISA, Certified Ethical Hacker, Licensed Penetration Tester amongst others and from a recognized and accredited institution.
• In-depth knowledge of information security governance frameworks such as ISO 27001/2, PCIDSS, NIST, OWASP etc.
• Knowledge of authentication, End Point Security, Internet Policy Enforcement, Firewalls, Web Content Filtering, Database Activity Monitoring (DAM), Public Key Infrastructure (PKI), Data Loss Prevention (DLP), Identity and Access Management (IAM).
• Good knowledge of the local and regional regulatory and statutory information security and risk management, cyber security and data protection requirements and good/ best industry practices.
• A good understanding of banking and or financial services operations, processes and practices.

Competencies and Attributes.

• Driven by results and business outcomes.
• A good understanding of business principles and industry and market trends.
• Critical thinker – Objective analysis of information, consideration of multiple perspectives, etc.
• Ability to analyze and define a problem, evaluate alternatives, find efficient solutions, and make optimal desirable choices/ decisions.
• Goal oriented – Setting clear objectives and actively working to achieve them.
• Strong planning, organization and self-management.
• Continuous professional learning – Ability to continuously acquire knowledge and updates with current happening/ new industry developments.

• Develop and implement the Bank’s information security strategy, framework and policies, and liaise with the Head of Enterprise Risk to ensure full alignment with the Banks Enterprise Risk Management Framework and Governance, business goals and group requirements.
• Drive and ensure the full implementation of all technology control systems and continuously monitor against business requirements, identified and reported incidences and good practices to ensure that they remain relevant and robust.
• Design and put in place an appropriate information security architecture and coordinate reviews to assess data losses and breaches and prioritize solutions and actions to minimize and mitigate business threats and risks.
• Develop and implement information security risk assessments and penetration testing schedules and procedures and ensure these are undertaken as required to identify and remediate vulnerabilities.
• Lead in the implementation and continuous monitoring of systems, applications, platforms etc. to facilitate effective incident response management and ensure timely containment and recovery.
• Contribute to the development and introduction of new products, services, channels and IT systems by reviewing their information system/ technology requirements and processes to provide assurance of compliance with all stipulated security compliance thresholds.
• Review and approve key infrastructure change requests and ensure all requests meet and approvals are within the minimum risk and compliance thresholds.
• Establish and implement an information security business continuity plan and processes and continuously run tests to ensure it is fit for purpose, identify gaps and follow up on agreed actions to avoid negative impacts on the Bank’s processes and operations and to ensure continuity in the event of a disruption.
• Develop and implement security awareness sessions for both employees and customers to enhance the overall security culture.
• Ensure that all regulations, group requirements and best governance practices are embedded in the Bank’s information system and cyber security practices to ensure compliance and adherence to ISO 27001, PCI DSS, CBK prudential guidelines, Data Protection Regulation regulations etc.
• Liaise and collaborate with all risk, compliance and audit teams to ensure all necessary assessments and audits are carried out on time, relevant information is provided and proactively implement recommendations and agreed actions.
• Manage the security risks associated with third-party information services/ technology vendors and partners by undertaking risk assessments, identifying potential risks and gaps, ensuring all SLAs are met and by providing relevant guidance, when required, on controls or mitigants to eliminate, minimize and or manage
• Prepare and submit information security risk reports including monthly and quarterly group, management and Board reports.

• Knowledge of authentication, End Point Security, Internet Policy Enforcement, Firewalls, Web Content Filtering, Database Activity Monitoring (DAM), Public Key Infrastructure (PKI), Data Loss Prevention (DLP), Identity and Access Management (IAM).
• Good knowledge of the local and regional regulatory and statutory information security and risk management, cyber security and data protection requirements and good/ best industry practices.
• A good understanding of banking and or financial services operations, processes and practices.
• Driven by results and business outcomes.
• A good understanding of business principles and industry and market trends.
• Critical thinker – Objective analysis of information, consideration of multiple perspectives, etc.
• Ability to analyze and define a problem, evaluate alternatives, find efficient solutions, and make optimal desirable choices/ decisions.
• Goal oriented – Setting clear objectives and actively working to achieve them.
• Strong planning, organization and self-management.
• Continuous professional learning – Ability to continuously acquire knowledge and updates with current happening/ new industry developments.

• Bachelor’s degree in information systems, Computer Science, Information Security or any related field from a recognized and accredited institution.
• Certified in information security knowledge areas, such as an ISACA related certification e.g. CISM/ CISA, Certified Ethical Hacker, Licensed Penetration Tester amongst others and from a recognized and accredited institution.
• In-depth knowledge of information security governance frameworks such as ISO 27001/2, PCIDSS, NIST, OWASP etc.