Information Assurance Analyst At ABSA Group Limited

Absa Group Limited is listed on the JSE and is one of Africa’s largest diversified financial services groups with a presence in 12 countries across the continent and around 41 000 employees.

We own majority stakes in banks in Botswana, Ghana, Kenya, Mauritius, Mozambique, the Seychelles, South Africa, Tanzania (ABSA Bank in Tanzania and National Bank of Commerce), Uganda and Zambia. We also have representative offices in Namibia and Nigeria, as well as insurance operations in Botswana, Kenya, Mozambique, South Africa, Tanzania and Zambia.

Information Assurance Analyst At ABSA Group Limited

Position: Information Assurance Analyst
Location: Absa House – ABT
Bring your possibility to life! Define your career with us
With over 100 years of rich history and strongly positioned as a local bank with regional and international expertise, a career with our family offers the opportunity to be part of this exciting growth journey, to reset our future and shape our destiny as a proudly African group.

Supervise and manage the planning and implementation of security programs and systems. Monitor the security of information systems, perform scans, carry out updates, and investigate security incidents. Help establish guidelines, policies, and procedures for keeping information secure which reflect user needs.

This role encompasses 5 main areas of information Security and Continuity:
• Cyber Security
• Data Privacy and Data Quality
• Information Risk Management
• Information Technology Compliance
• Business Resilience Crisis Management

Job Description

• Safeguards information system assets by identifying and solving potential and actual security problems.
• Protects system by defining access privileges, control structures, and resources.
• Recognizes problems by identifying abnormalities; reporting violations.
• Implements security improvements by assessing current situation; evaluating trends; anticipating requirements.
• Determines security violations and inefficiencies by conducting periodic audits.
• Upgrades system by implementing and maintaining security controls.
• Keeps users informed by preparing performance reports; communicating system status.
• Maintains quality service by following organization standards.
• Maintains technical knowledge by attending educational workshops; reviewing publications.
• Contributes to team effort by accomplishing related results as needed
• keep up to date with the latest security and technology developments
• research/evaluate emerging cyber security threats and ways to manage them
• plan for disaster recovery and create contingency plans in the event of any security breaches
• monitor for attacks, intrusions and unusual, unauthorised or illegal activity
• test and evaluate security products
• design new security systems or upgrade existing ones
• use advanced analytic tools to determine emerging threat patterns and vulnerabilities
• engage in ‘ethical hacking’, for example, simulating security breaches
• identify potential weaknesses and implement measures, such as firewalls and encryption
• investigate security alerts and provide incident response
• monitor identity and access management, including monitoring for abuse of permissions by authorised system users
• liaise with stakeholders in relation to cyber security issues and provide future recommendations
• generate reports for both technical and non-technical staff and stakeholders
• maintain an information security risk register and assist with internal and external audits relating to information security
• monitor and respond to ‘phishing’ emails and ‘pharming’ activity
• assist with the creation, maintenance and delivery of cyber security awareness training for colleagues
• give advice and guidance to staff on issues such as spam and unwanted or malicious emails

• Review controls implemented by the business (1st LoD) to inform, advise and issue recommendations to the business with regards to data protection, privacy and compliance, including with data protection requirement and internal policies and guidelines
• Foster a data protection culture within the bank and help to implement essential elements of the data protection (e.g. principles of data processing, data subjects’ rights, data protection by design and by default, security, data breaches management)
• Advise 1st LoD (controllers/ processors) and DPOs regarding data protection and privacy management requirements and policies (e.g. DPIA process & objectives, safeguard measures to mitigate the risks – technical, organizational & formal –, record of processing operations management)
• Promote continuous training to maintain data protection awareness and feedback, and also include protection as part of the ARO Data Privacy plan agenda
• Document all decisions taken consistent with and opposing DPO’s advice
• Support DPO Group in the communication and as point of contact for both data subjects (e.g. customers) and the regulatory authorities
• Offer consultation once a data breach or other incident has occurred and must be involved in relevant issues in a timely manner and report directly to highest management level
• Attend regular/ ongoing data protection, information security and privacy training
• Track country DP requirement implementation in respect of:
  • Privacy impact assessments, Privacy notices roll out
  • Personal data collection, creation & processing
  • Personal data transfers & Further processing of personal data
  • Records management
  • Data management – CDO
  • Direct marketing customer consent
  • Privacy related complaints
  • Information security
  • Incident Management
  • Breach escalation to Compliance
• Report on implementation progress status (milestones achieved& escalate slippage)
• Testing of adherence to Standards and escalation of non-adherence to Standards.
• Compilation of Country DP risk profile (based on progress status and testing results)

• Champions the cause of Information Risk Management in ABT by implementation of Absa IRM framework, policies, standards, guidelines, procedures and resulting controls to include Education & Awareness, Information Classification and Handling, Records Management, Data Quality and Logical Access Management.
• Ensure implementation of key controls for Data Privacy and Social Media.
• Ensure controls implementation in tune with cost-benefit analysis.
• Plan and implement effective IRM Risk Assurance Framework (comprising of Management Self-Assessment, Conformance Testing, RCA Testing, Conformance Review and IRM Calendar activities).
• Evidence based Conformance Testing programme in line with the Risk Assurance framework must be implemented.
• Ensure local risk assessments to assess all processes and systems, clearly identifying risks/issues and the controls required to mitigate those risks/issues.
• Lead team to implement effective Logical Access Management framework for risk against unauthorised access to Barclays information (Joiners, Movers and Leavers; Access Directory; Applications; Databases; Servers, Network devices etc.)
• Ensure Logical Assess Management for all operations process is document, implemented, maintained and periodically reviewed as per Group IRM standards and SOX requirements. Access permissions must be developed to support Segregation of Duties.
• Ensure ISO 27001 is implemented for all Tanzania sites and processes.
• Implement Third party controls such as risk assessment for any new third party where data is exchanged. Implement IRM standard for the same.
• Undertake local 3rd Party Due diligence for vendors / service providers
• Champion the cause of Record management for all process in Tanzania.
• Execute Data Privacy requirements from local laws and Group requirements.
• Ensure protection of company’s Intellectual property, customer and associate information, in accordance with regulatory norms.
• Ensure that the security and operation risk metrics as defined by the group are measured, recorded and reported in accordance with the group policies and requirements.
• Ensure that all IRM risks are captured and addressed adequately.
• Ensure that IRM and Data Privacy security awareness programs are driven for all employees as per identified schedules and defined policies and standards.
• Roll-out awareness of key IRM policies via awareness program.
• Responsible for ensuring that specific Information security controls and solutions are applied and comply with the Group Technology/ Group Information Security Policies, and consequently meet the businesses requirement and safeguards Absa reputation.
• Monitor compliance of policies and standards and drive the closure of gaps.
• Develop plans, goals, objectives, and other project management aids for the implementation of ISO 27001.
• Ensure Key Indicators are established for governance of IRM Security and released to leadership, Implement and maintain various security tools across Tanzania such as end point protection, hard disk encryption etc.
• Implement IS incident management procedures, and be the contact for IS incidents. Investigate or assist in the investigation of criminal, disciplinary or security incidents and report findings, as necessary.
• Develop and maintain relationships with the Tanzania senior management teams, meeting regularly to review the Function’s risk profile/other governance and control matters and to obtain appropriate sign off and acceptance for risk/control exposures.

• Perform all departmental administrative activities, including staff meetings, attendance, monthly status reporting, budgeting, strategic planning, expense processing, documentation, and other activities, as assigned, in a timely manner.
• Manage CRISIS leadership and updates the call tree on time.
• Overall – ensure that plans are properly rated for all business process areas, contain all required sections, and reflect current conditions. Ensure that plans and strategies are appropriate, cohesive and viable, and could be used to recover key functions within required time frames.
• Conduct BIA for assigned Strategic Business Units (SBUs) and Shared Service Units (SSUs).
• Train Branches and Critical business units in the correct implementation of BC & DR processes, standards and impart training to ensure recoverability of business processes and supporting services across SBUs and SSUs.
• Support review and maintenance of business continuity policy, standards and processes.
• Support internal reporting and tracking of business continuity related issues and remediation activities.
• Support assigned oversight areas with the creation, maintenance and testing of their various business continuity plans.
• Support the identification of Business Continuity related risks (internal / external), the assessment of their likelihood, as well as potential impacts and risk mitigation plans.
• Proactively identify and implement BCP program and process improvements.
• Provide ongoing SME guidance and assistance to SBUs and SSUs on business continuity matters.
• Make sure the BCM plan for all CRITICAL business systems including Teller Systems, ITAX payments, Payments RTGS, Cross Border and many more based on assessment done is agreed, signed off and implemented. The testing needs to be done is Application testing and Operational testing
• Make sure the annual BCM plan for the bank is sent for BOT approval every year
• Make sure the banks follows the BOT BCM regulations and standards set.
• Overall — ensure that IT DR applications have a fully documented, tested, executable plans that contain all the required information, reflect current conditions from an IT infrastructure recovery standpoint, and able to support the recovery objectives of the organization.
• Make sure the Country Primary Data Centre has DR minimum DR capabilities in plan and tested.
• Design, coordinate and execute BCP/DR annual test exercises for critical business processes, and produce test reports including lessons learned. Coordinate follow up on lessons as required.
• Partner with infrastructure and application areas to develop and maintain recovery procedures for Tier 1 business applications.
• Develop recovery priorities, time lines, and strategy for proper sequence of recovery components.
• Educate and train IT members in practices of technology risk disaster recovery planning.
• Review existing and proposed plans for recoverability effectiveness and identify opportunities for improvement.
• Provide guidance to management in self-assessing their control environment.
• Assist Crisis Management / Incident Management teams during service disruption events, and contribute to process improvement initiatives.
• Develop, review and maintain third party contracts for hardware and telecom services for Disaster Recovery hardware equipment and location resources

• The Job Holder needs to attend the following meetings in absence of or directed by the Line Manager – Information Assurance Manager:
  • In-country RDARR meeting and owns the all actions related to COO function
  • Organises and prepares deck for In-country Data Privacy meetings and owns all actions related to COO
  • Attends ARO RDARR and Data Privacy forum meetings
  • Attend ARO Crisis Leadership meetings
  • Attend Monthly calls related to Business Resilience ARO forums.
  • Attends all IT related audits meetings, and owns all actions related to IT audits end to end (AIA, External Audits – KPMG and BOT).  Follows up ALL actions to closure including preparation of Issue closure pack.
• Contribute to the development of Information Risk Management and Information Security strategy and the delivery of the business objectives (e.g. supporting plans for expansion into new premises/locations etc.)
• Provide Information Risk consultancy, advice and guidance to both business and management

• Manage risk and control effectively by applying applicable risk frameworks and embedding a positive risk culture
• Understanding of own role in the end to end processes in which you play a part, including applicable risks and controls.
• Adhere to Absa’s policies and procedures applicable to own role, demonstrating sound judgement and responsible risk management.
• Report all risk events / incidents / issues using the defined process for your business area and help to understand why these happened and how to prevent them in future.
• Proactively look for ways to improve the control environment by considering what could go wrong in the processes you operate and how errors could be prevented.
• Continuous and proactive engagement with regulatory bodies, unions where applicable
• All mandatory training completed to deadline

• Higher Diplomas: Business, Commerce and Management Studies (Required)

Deadline: 2020-10-09