Job Description:
Job Title - Chief Information Security Officer.
Department - Risk.
Grade - Senior Vice President.
Location - Mumbai.
Reporting To - Chief Risk Officer.
POSITION PURPOSE :-
This role is responsible for banks' information and data security. Responsible for establishing the right security and governance practices. Responsible for enabling a framework for risk-free and scalable business operations in the challenging business landscape. This role requires a high degree of technical knowledge in development and implementation of security controls and compliance across the e-business and working closely with functional business heads to ensure security controls are effective.
A.KEY POSITION RESPONSIBILITIES
Direct Responsibilities:
•Place review of cyber security preparedness of the bank before the board or IT sub-committee to the board on a quarterly basis.
•Inform the vulnerabilities/IT risk in the bank to the board members.
•Member secretary of IT Security committee and hold the committee.
•Place review of cyber security preparedness of the bank before the board or IT sub-committee to the board on a quarterly basis.
•Invitee to IT Strategy committee and IT Steering committee
•Ensure Information Security Policy is followed in the bank • Assessment of Risk in the Information asset and data.
•Manage and monitor the Security Operation Canter • Strategies for Incident Identification and response.
•Ensure compliance to Circulars, advisory and alerts given by regulators such as RBI/CSITE.
•Implement information security strategies and tools.
•Prepare KRI and KPI for information security.
•Manage and monitor Cyber risk arising out of new threats •
•Analyze the new Cyber Threat Landscape and formulate security strategies to secure the bank.
Risk Identification, Assessment and Evaluation:-
•Identify, assess, and evaluate risk to enable the execution of the enterprise risk management strategy.
•Collect information and review documentation to ensure that risk scenarios are identified & evaluated.
•Identify legal, regulatory, and contractual requirements and organizational policies and standards related to information systems to determine their potential impact on the business objectives.
•Identify potential threats and vulnerabilities for business processes, associated data and supporting capabilities to assist in the evaluation of enterprise risk.
•Create and maintain a risk register to ensure that all identified risk factors are accounted for.
•Assemble risk scenarios to estimate the likelihood and impact of significant events to the organization.
•Analyze risk scenarios to determine their impact on business objectives.
•Develop a risk awareness program to ensure that stakeholders understand risk and contribute to the risk management process and to promote a risk-aware culture.
•Correlate identified risk scenarios to relevant business processes to assist in identifying risk ownership.
•Validate risk appetite and tolerance with senior leadership and key stakeholders to ensure alignment.
Risk Response & Monitoring:-
•Develop and implement risk responses to ensure that risk factors and events are addressed in a cost-effective manner and in line with business objectives.
•Identify and evaluate risk response options and provide management with information to enable risk response decisions.
•Review risk responses with the relevant stakeholders for validation of efficiency, effectiveness, and within risk threshold.
•Apply risk criteria to assist in the development of the risk profile for management approval.
•Assist in the development of risk response action plans to address risk factors identified in the organizational risk profile.
•Monitor risk and communicate information to the relevant stakeholders to ensure the
•continued effectiveness of the enterprise’s risk management strategy.
•Collect and validate data that measure key risk indicators (KRIs) to monitor and communicate their status to relevant stakeholders.
•Monitor and communicate key risk indicators (KRIs) and management activities to assist relevant stakeholders in their decision-making process.
•Facilitate independent risk assessments and risk management process reviews to ensure they are performed efficiently and effectively.
•Identify and report on risk, including compliance, to initiate corrective action and meet business and regulatory requirements.
Information Systems Control Design and Implementation:-
•Design and implement information systems controls in alignment with the organization’s risk appetite and tolerance levels to support business objectives.
•Interview process owners and review process design documentation to gain an understanding of the business process objectives.
•Design information systems controls in consultation with process owners to ensure alignment with business needs and objectives.
•Implement information systems controls to mitigate risk.
•Facilitate the identification of metrics and key performance indicators (KPIs) to enable the measurement of information systems control performance in meeting business objectives.
•Assess and recommend tools to automate information systems control processes.
•Ensure all controls are assigned to control owners to establish accountability.
•Establish control criteria to enable control life cycle management.
Information Systems Control Monitoring and Maintenance:-
•Monitor and maintain information systems controls to ensure they function effectively and efficiently.
•Plan, supervise and conduct testing to confirm continuous efficiency and effectiveness of information systems controls.
•Collect information and review documentation to identify information systems control deficiencies.
•Review information systems policies, standards and procedures to verify that they address the organization's internal and external requirements.
•Evaluate the current state of information systems processes using a maturity model to identify the gaps between current and targeted process maturity.
•Determine the approach to correct information systems control deficiencies and maturity gaps to ensure that deficiencies are appropriately considered and remediated.
•Maintain sufficient, adequate evidence to support conclusions on the existence and operating effectiveness of information systems controls.
•Provide information systems control status reporting to relevant stakeholders to enable informed decision making.
IT Risk Policies/Governance and Compliance:-
•Coordinate the development and ongoing maintenance of other Information security policies and procedures.
•Ensure that all Information security policies policies and procedures are compliant with regulatory requirements and inline with security best practices.
•Maintain a schedule of policy review and submission to the board for approval.
Audits and Reviews Preparation and Facilitation
•Serve as liaison to auditors, consultants, and the Third-party partners for periodic risk reviews.
•Communicate audit and review results to appropriate parties; ensure that issues are addressed, and corrective actions are implemented.
•Keep a tracking action list of all Information Security audit issues.
B.QUALIFICATIONS AND EXPERIENCE REQUIREMENT:-
Qualifications-
Bachelor’s Degree required. Preferred Master’s degree in IT, Business with an emphasis on banking related disciplines required.
Relevant certifications such as CISSP, CISM, CISA, or CRISC are highly desirable.
Essential:-Over 15 years of relevant experience in Information Security Risk - both designing the framework and implementing the same in the Banking sector preferably the Consumer and Retail segment.
Preferred:- Strong BFSI Experience
C.COMPETENCY :-
a.Technical Skills
Skill Attribute
•Must have excellent knowledge of Information Security and Digital Payment security, architecture, and consulting or industry experience.
•Ability to think strategically; Strong perspective on where industry/practice is headed while leveraging existing company strengths for the same.
•A proven record in directly generating and sustaining high impact client relationships, yielding a meaningful level of revenue/margin contribution.
b.Behavioural Skills:-
Competencies Attribute
Professionalism - To conduct your duties with good judgment and in good faith.
Respect - To be sensitive and responsible for what we say and do.
Excellence - To act in a manner that earns the trust and admiration of others.
Entrepreneurial -To be enterprising and take ownership of our actions.
Teamwork - Working collaboratively to achieve the common goals and be successful together.