To develop, manage, and execute Information Security Governance, Risk and Compliance across Mashreq to
- Contribute strategically to the bank s success and enable the business and technology strategy of the bank to expand with secure and reliable service offering.
- Navigate compliance complexities and support compliance with information security requirements across regions,
- Ensure the confidentiality, integrity, and availability of our sensitive information and IT assets and a proactive approach to build a resilient security posture and
- Empower a security-conscious culture - all while.
The Manager IS Governance, Risk and Compliance (IS GRC) has overall responsibility for information security governance, risk and compliance management and supporting the Head of IS GRC to achieve organization s security strategy and goals. He / She is deputy of the Head of IS GRC.
The Manager of IS GRC is a T-Shaped expert with proven skills in most core capability areas of IS GRC: Policy, Governance and Culture, Cyber Strategy & Program Management and Risk and Compliance. She / He will actively develop his expertise and leadership in other capability areas to cover all GCR scope, including by rotating roles between the managers of IS GRC.
The Manager of IS GRC will lead a Center of Excellence in his area of primary focus and supports the growth of T-Shaped expertise in the COE.
Performance evaluation of the role will be based on the positive impact on the bank in terms of risk reduction instead on the effort put in place
- A mid senior level officer with sound knowledge and around 10 years of expertise in information security risk management with around 3 years of experience of managing enterprise projects and of direct and in-direct relationship with senior and executive management.
- Strong experience and knowledge across the Information Security and Cyber Security domains including governance, policy procedures, compliance management, risk management and security incident response etc.
- Strong experience in Banking environment with strong understanding on key security frameworks such as ISO27001.XX, NIST 800.xx, PCI-DSS, SWIFT CSP, COBIT etc.
- Strong interpersonal, analytical, and technical skills with strong in decision making and prioritization skills.
- Sound knowledge of evolving advanced tech stacks and related control and risk universe.
- Sound knowledge and expertise in conducting risk assessment.
- Have over 10+ years of rich experience in information security domain and at least 2-3 years of dedicated experience in one of the GRC domain (Policy, Governance and Culture, Cyber Strategy & Program Management and Risk and Compliance).
- Master s degree in IT/Information Security
- Professional certifications: CISA, CISSP, PCI-QSA, SABSA etc.
Policy, Governance & Culture
-
Information Security Framework, Policy, and Standards
: Lead the development and implementation of a comprehensive information security framework, policies, and standards to ensure the organization s information assets are adequately protected.
- Enable the mechanism to assess, monitor and report on Implementation status.
- Ensure group practices are in line with security standards like ISO 27001, NIST and others.
-
Security Governance and Reporting
: Ensure preparation, delivery and follow-up of the key ISG committees, including Information Security Committee, Business Engagement meetings, ORC, BRC in quality and time. Get all pre-required reviews and approvals in a timely manner.
- Manage actions from those committees with proper tracking and timely closure.
-
KPI & KRIs
: Enable and monitor key security metrics, Key Performance Indicators (KPIs), and Key Risk Indicators (KRIs) as required to measure the effectiveness of the information security program.
-
Cyber Culture:
Promote a culture of cyber security awareness across the organization.
- Develop and deliver training programs to enhance employees understanding of cyber threats and preventive measures.
- Facilitate and foster activities to create information security culture and behavior across the organization.
- Assure training & learning requirements is assessed for the staffs and required training and awareness is captured and enabled to ensure that the organization has the necessary skills to manage cyber risks.
-
Peer Security Engagement:
Collaborate with peers across the organization to share and implement best practices for information security. Foster a culture of continuous learning and improvement. Develop and implement, in collaboration with FP&I, HR and Communication at minimum, a Security behavior and culture program. Update and align existing content, particularly online training, induction training to ensure continuous alignment with business needs, the internal and external threat landscape, and regulatory requirements.
-
Audit Support
: Enable the Information Security department in preparation for internal and external audits and be at the front-line to support audit activities. Manage internal and external audits on ISG; track and managing timely remediation.
- Drive security enhancements to ensure the organization stays ahead of peers in terms of information security posture.
-
IS Regulatory Calendar & Task Management
: Manage the IS regulatory calendar and ensure that all regulatory tasks are completed on time. Identify frequency based regulatory requirements related to ISG from HO and International regions, develop and release an annual regulatory activity calendar on GRC solution for effective tracking and governance.
-
Oversees and support key regulatory projects:
from a 2nd line perspective to ensure the bank is compliant with key regulatory frameworks i.e. PCI-DSS, SWIFT CSP and NESA IAS (Information Assurance Standard). Identify and ensure compliance with regulatory requirements by proactive collaboration with business units and local CISOs.
-
Regulatory Submission
: Govern all regulatory submissions related to information security/ cyber security across the regions with supporting data required from ISG.
- Govern regulatory mandated information security / cyber security regulations and standards across the regions including cyber security framework in India, Kuwait, Egypt, NESA, SWIFT-CSP, PCI-DSS, DFS500, FFIEC, and HKMA-CFI etc.
- Update to the board of directors on NESA-IAS (Information Assurance standard) compliance annually as per the CBUAE mandate.
-
Regulatory Liaising
: Act as a regulatory liaison officer co-ordinate with government officials within central banks and other government entities to facilitate security agenda.
-
IS Regulatory Watch Forum Governance and Reporting
: Govern the IS Regulatory Watch Forum and provide regular reports on its activities and awareness to senior managers of the bank on potential regulatory risk.
-
Cyber Insurance
: Manage the organization s cyber insurance policy. Ensure that the policy provides adequate coverage for the organization s cyber risks. Evaluate and enable Cyber Risk Insurance for the bank covering head office and international operation to manage any adverse situation due to cyber risk.
-
Encryption Key management
be key custodian (information security officer) for critical payment system encryption keys including HSM, SWIFT and b2b connection to card brands and payment processors.
General
- Maintain a GRC roadmap and present progress bi-monthly to the Head of IS GRC.
- Demonstrate adoption of ISG vision, mission, key principles, cultural and operational objectives. Support actively key ISG transverse initiatives.
- Manage main GRC
Run The Bank
and Change The Bank
agenda to deliver quality results, on time and budget. Escalate in advance any alert, risk, critical dependency, and issue that arise with options for their management to ensure pro-active management and no surprises.
- Ensure preparation, execution and follow-up of regulatory examinations, audits, and assessment. Those reviews shall not result in any critical or high-risk issue for ISG or for ISG GRC.
- Ensure closing of all legal, regulatory and audit issues with the expected level of quality, in time and budget.
