Senior Information Security Specialist Governance and Compliance
Abu Dhabi Commercial Bank (ADCB)
Manage the design, implementation, operation and maintenance of the Information Security Management System based on the ISO/IEC 27000 series standards & other relevant and required standards, including certification against ISO/IEC 27001 where applicable. Develops or commissions suitable information security awareness, training and educational activities throughout the bank to ensure that security risks and incidents are reduced and to ensure compliance with various regulatory requirements .Develop and Implement Information Security policies, procedures and standards based on regulatory and legal requirements. Manage and ensure compliance to PCI DSS, PCI PIN and other regulatory requirements. Develops compliance assessment as per international standards and ensure compliance with Information security policies and standards and other regulatory requirements.
Main Tasks and Responsibilities
Support strategic security planning to achieve business goals by prioritizing security initiatives and coordinating the evaluation, deployment, and management of current and future security technologies
Promote strategic security relationships between internal resources and external entities, including government, vendors, and partner organizations.
Identify protection goals, objectives and metrics consistent with corporate strategic plan.
Liaison with and offers strategic direction to related governance functions (such as Physical Security/Facilities, Risk Management, IT, HR, Legal and Compliance) plus senior and middle managers throughout the organization as necessary, on information security matters such as routine security activities plus emerging security risks and control technologies
Integrate security into various life cycle process like Software Development, Project Management, ITIL ( IT Infrastructure Library ) and other related processes
Maintain relationships with local and federal law enforcement and other related government agencies.
Promoting, advocating and managing all aspects of the Software Escrow Arrangements.
Develop and Roll Out Information Security Awareness campaign for staff and customers based on need assessment and current threat landscape to protect organization information assets
Initiates, facilitates, and promotes activities to create information security awareness within the organization
Roll out information security awareness programs for specific audience to change aspects of their security behaviour.
Develop programmes for assessing the information security awareness level using surveys and other techniques that provide accurate information
Liaison with various departments to collect their input as to the security topics that interest them.
Delivery of Information Security awareness trainings to various critical departments such as Card Centre, Contact Centre, and Branches etc.
Ensure the complete and comprehensive rollout of information security awareness training into E-Learning solution .
Manage the development and implementation of organization Information Security policies, procedures standards, and guidelines incorporating standards, laws, and regulations like PCI DSS, PCI PIN UAE CB, ESCA and other application regulations to ensure ongoing maintenance of security.
Develop plans and conduct periodic review of information security policies , standards and other technical documents needed to advance information security in organization
Conduct Gap analysis of Information security policies in place and being effective and those established at international standards and to address emerging and current threats landscape thus highlighting deficiencies for remedial action.
Assists with the establishment & refinement of procedures and processes for the identification of organizational information assets as well as the classification of these assets with respect to criticality and sensitivity
Identify System Owners and Classify existing and new systems based on criticality and sensitivity
Provide periodic management reports on asset criticality
Ensure Asset Inventory is updated on a continuous basis.
Manage the design and operation of related compliance monitoring and improvement activities to ensure compliance both with internal security policies etc. and applicable laws and regulations
Conduct compliance reviews of live systems to enforce compliance with organization security policies and standards on a regular basis and maintain list of non-compliance issues and feed into the technology risk management program
Generate Monthly Compliance Reports
Ensures that formal information access requests are dealt with according to approved procedures and are provided based on need to know.
Develop Access Control Matrix to ensure that privileges are provided based on business need to know and least privilege
Ensure that access-control matrix for all applications in the Bank are reviewed and documented and ensuring that they are kept up-to-date.
Ensure that the access control matrix changes are incorporated/updated as and when the process, or people changes.
Design, establish and maintain Business Access Profiles and control matrixes so that role based access can be provided to users
Analyze and write specifications for the development of control tools
Manage programmes and processes to ensure compliance with PCI-DSS ISO 27001, PCI PIN, ESCA, UAE CB requirements and other requirements that the bank need to comply
Provide expert advice to the organisation, ensuring compliance, and conformance, on ISO27001 and, generally, on information risk analysis/management.
Generate monthly reports on the state of compliance of organization with respect of various application regulatory requirements
The role is responsible to managing information security strategic projects like DLP, Identity Management etc
Keep abreast of latest security trends, regulations, advisories, alerts and vulnerabilities pertaining to Banking industry.
Maintain up-to-date knowledge of the IT security industry including awareness of new or revised security solutions, improved security processes and the development of new attacks and threat vectors.
Professional Certifications such as CISSP, CISA, SANS, CISM are mandatory
The incumbent should preferably have 7-8 years of experience in a Banking industry or similar environment, e.g. a demanding service industry where employees are able to work under pressure.
An in-depth knowledge in information security, specifically in compliance assessment, policy development, and industry standard frameworks such as ISO 27001, PCI-DSS, etc., preferably gained in the Financial Services sector; experience in service continuity would also be desirable
Thorough knowledge of firewalls, network components such as router/switches and related protocols, intrusion prevention systems, antivirus software, web content filtering, database products; the incumbent should also have a sound understanding of the vulnerabilities in operating systems, databases and major applications and must possess the technical knowledge necessary to mitigate these vulnerabilities
Good understanding in various security concepts like access control, physical security, operational security, management controls etc
Experience in designing specific operational level security policies, standards and processes (like email & internet policy, password management process, etc)
Thorough knowledge of operating systems such as Windows Server OS, Linux, Unix, Solaris, AIX, and databases such as MS SQL, Oracle, etc.
Experience in designing and delivering solutions that deliver highly secure and available IT services in line with business requirements
Strong awareness of application security requirements and techniques
Knowledge and ability to apply compliance management techniques to security policy enforcement.
Experience in developing security policies, guidelines and standards
Experience in handling coaching / training classes
Possess strong presentation and negotiation skills and a high aptitude to work as a lead auditor.
Strong written and verbal communication skills in English in order to clearly disseminate security messages and practices to senior management and other staff, and for contributing to security policy and process documentation
Experience in liaison with other departments and other stakeholders
Extensive experience in enterprise security document creation.
Experience in designing and delivering employee security awareness training.
Ability to conduct research into IT security issues and products as required.
Ability to present ideas in business-friendly and user-friendly language.
Ability to effectively prioritize and execute tasks in a high-pressure environment
About the Company
About the Company
ADCB was incorporated on 1 July 1985 as a public joint stock company for an unlimited duration in the Emirate of Abu Dhabi, UAE. ADCB is registered under the UAE Federal Commercial Companies Law No. (8) of 1984 under registration number 4 and operates in the UAE under a banking licence issued by the Central Bank of the UAE.
ADCB provides a range of consumer and corporate banking, Islamic banking, trade finance, structured finance, foreign exchange, derivatives, and financial advisory services, primarily in the United Arab Emirates. In addition, ADCBs subsidiary Abu Dhabi commercial Islamic Finance PSC holds an Islamic banking license.
As at 31 December 2010, ADCB operated 47 branches, 4 pay offices and 265 ATMs in the UAE; 4 new branches and 99 new ATMs were added during 2010. ADCB also operated 2 branches in India.