Chief Information Security Officer

1. Role Objective:

The incumbent will work closely with the Group Chief Information Security Officer and Country Manager India in efficient formulation, implementation and management of the Bank's information security policy(s) and compliance programs pertaining to India Operations. The incumbent will ensure efficient management of Information Security Governance, in line with the Reserve Bank of India and other statutory / regulatory bodies governing our India operations.

The job holder will coordinate and execute the information security management system program (ISMS), Security operations, VAPT program, Red team program, Update RBI Daksh portal returns before deadline and Cyber security Framework implementation. The job holder will also ensure that risk management needs in relation to information security, including but not limited to incident response, access control, business continuity and disaster recovery are duly and promptly

addressed. This role requires extensive coordination and teamwork with inter and intra department officials.

2. Detailed Roles and Responsibilities:

STRATEGIC

· Responsible for all cyber security governance framework along with other activities related to information and cyber security aspects as per the directions from Group Chief Information Security Officer.

· Contribute towards formulation of annual strategies, policies, and procedures of the Information Security Section, to support divisional and organizational business strategy.

· Ensure that the Information Security plans are within agreed budgets and timescales. Assist the Country Manager & Group Chief Information Security Officer in preparing/providing timely, accurate and complete progress reports to the Management reviews, RBI, IBA, IDRBT, CERT-In, CSITE etc.

· Update self on the IT/security industry trends, new solutions and techniques, as well as emerging threats and regulatory requirements/changes set by QCB and other relevant government bodies, and suggest adequate changes in the section, including but not limited to staffing of employees, department deliverables etc.

· Develop and maintain robust working relationships with internal/external stakeholders of Doha Bank to facilitate functional / operational/ strategic needs.

· Develop and maintain various performance monitoring check lists as required by ISO27001 /RBI Cyber security Framework for IT and other operations.

· Responsible for managing RBI - CSITE advisories, circulars, policy development, security operation centre (SOC), vulnerability assessment and penetration testing etc.

· Member of Bank’s India Management Committee and Risk Management Committee where information security related risks, gaps and remedial measures are discussed and tabled.

OPERATIONAL

· Complete ownership of Security compliance requirements of all systems /servers pertaining to India operations.

· Ensure successful execution of ISO27001 & PCI-DSS and other industry certifications and governance of the certification programs and reporting the progress to management.

· Perform all activities, as assigned by the Country Manager and Group Chief Information Security Officer, in compliance with relevant local/ foreign regulations, internal Information security policies and procedures as required for strategic partnership or delivery of Banking services.

· Review and ensure that the Information Security processes within Doha Bank, India are operating effectively and efficiently towards achieving high operating standards.

· Perform gap analysis of business operation to ascertain the magnitude of results in terms of non-compliance by the business/support functions with the statutory and regulatory requirements.

· Liaise with external consultants appointed from time to time in assessing the adequacy and effectiveness of the Bank's information security efforts.

· Perform the Risk assessment which would include identification, assessment, monitoring and reporting of key information security risks and prepare the mitigating controls. Regularly follow-up with Operational departments such as IT and Admin on implementing the mitigating controls with appropriate escalation.

· Review and follow-up of Compliance with time-to-time applicable laws and regulatory requirements, third party partners such as CSITE, RBI, NABARD, GOI, State Governments, SWIFT, VISA and Master card.

· Ensuring Regular VAPT assessments / PCI / ISO27001 assessments, Internal, external audits are properly planned and carried out. Also track the compliance and provide update / escalation to appropriate authorities. Need to Maintain update dashboard.

· Track and update progress on the Internal /external Audit and VAPT observations and present suitable to Top Management, highlighting the high-risk areas and dependencies.

· Manage and review Information Security analyses and submit assessment reports on adequacy of control in accordance with policies, standards, procedures to safeguard Bank's assets.

· Depict threats and mitigation options to executive management and preparation of periodic (applicable weekly/ monthly /quarterly) Dashboards, reports, memo, agenda items to Information Security council, Risk Management Committee, Audit Committee of the Board and further compliance of directions.

· Review all data being generated from periodic threat assessments and ensure maximum accuracy. Revalidate observations with technical stakeholders and ensure that the observations from periodic assessments are accurate and complained.

· Collection and consolidation of data required for monthly /quarterly /Half yearly / yearly - Report submissions / any other compliance reports as required by RBI and its appointed organizations / entities.

· Submit periodic reports / data pertaining to India operations as required by Information Security section, Head office including Bank’s defined internal KRI’s.

· Ensure threats and mitigation measures are correctly populated into the threat register with accurate estimated dates of compliance and threat ratings as per group’s methodology.

· Participate actively during internal/external audits and regulatory reviews and ensure implementation of remediation actions on account of the findings reported.

· Participate in the development and implementation of the Bank's information security policies and procedures and ensure their timely update considering changing circumstances/ best practices/ Regulatory directives.

· Assist the Group Chief Information Security Officer and work closely with the India IT / ITD at Head office on the design and development of Information security or disaster recovery systems.

· Development and implementation of an ongoing risk assessment program targeting information security and privacy matters, and recommend methods for vulnerability detection and remediation and oversee vulnerability testing related to India operations.

· Liaise with the Business Continuity Management section, Head office & India IT operations in preparing the organization's disaster recovery and business continuity plans related to information systems.

· Maintain highest standards of confidentiality, professional conduct, ethics and integrity in the provision of services in the section.

· Implement regular online/classroom training programs on information security awareness and conduct effectiveness test for India Operations.

· Perform all operational activities as assigned by the reporting authorities, in compliance with local regulations, Doha Bank’s policies and units/departments approved policies and procedures.

· Support the reporting authorities in on ground implementation of the procedural control measures identified through audit, risk and compliance observations.

· Support in periodically reviewing and updating the RCSAs pertaining to the processes executed within the unit with identified risks and areas for improvement. Also, ensure adherence to the controls defined in the RCSA.

· Support in timely rectification of observations / gaps identified by audit, compliance and risk. · Contribute to the amendments of policies and procedures within the unit, as and when needed.