Senior Information Security Specialist – Governance and Compliance

Job description / Role

Manage the design, implementation, operation and maintenance of the Information Security Management System based on the ISO/IEC 27000 series standards & other relevant and required standards, including certification against ISO/IEC 27001 where applicable. Develops or commissions suitable information security awareness, training and educational activities throughout the bank to ensure that security risks and incidents are reduced and to ensure compliance with various regulatory requirements .Develop and Implement Information Security policies, procedures and standards based on regulatory and legal requirements. Manage and ensure compliance to PCI DSS, PCI PIN and other regulatory requirements. Develops compliance assessment as per international standards and ensure compliance with Information security policies and standards and other regulatory requirements.

Main Tasks and Responsibilities

• Support strategic security planning to achieve business goals by prioritizing security initiatives and coordinating the evaluation, deployment, and management of current and future security technologies
• Promote strategic security relationships between internal resources and external entities, including government, vendors, and partner organizations.
• Identify protection goals, objectives and metrics consistent with corporate strategic plan.
• Liaison with and offers strategic direction to related governance functions (such as Physical Security/Facilities, Risk Management, IT, HR, Legal and Compliance) plus senior and middle managers throughout the organization as necessary, on information security matters such as routine security activities plus emerging security risks and control technologies
• Integrate security into various life cycle process like Software Development, Project Management, ITIL ( IT Infrastructure Library ) and other related processes
• Maintain relationships with local and federal law enforcement and other related government agencies.
• Promoting, advocating and managing all aspects of the Software Escrow Arrangements.

• Develop and Roll Out Information Security Awareness campaign for staff and customers based on need assessment and current threat landscape to protect organization information assets
• Initiates, facilitates, and promotes activities to create information security awareness within the organization
• Roll out information security awareness programs for specific audience to change aspects of their security behaviour.
• Develop programmes for assessing the information security awareness level using surveys and other techniques that provide accurate information
• Liaison with various departments to collect their input as to the security topics that interest them.
• Delivery of Information Security awareness trainings to various critical departments such as Card Centre, Contact Centre, and Branches etc.
• Ensure the complete and comprehensive rollout of information security awareness training into E-Learning solution .

• Manage the development and implementation of organization Information Security policies, procedures standards, and guidelines incorporating standards, laws, and regulations like PCI DSS, PCI PIN UAE CB, ESCA and other application regulations to ensure ongoing maintenance of security.
• Develop plans and conduct periodic review of information security policies , standards and other technical documents needed to advance information security in organization
• Conduct Gap analysis of Information security policies in place and being effective and those established at international standards and to address emerging and current threats landscape thus highlighting deficiencies for remedial action.

• Assists with the establishment & refinement of procedures and processes for the identification of organizational information assets as well as the classification of these assets with respect to criticality and sensitivity
• Identify System Owners and Classify existing and new systems based on criticality and sensitivity
• Provide periodic management reports on asset criticality
• Ensure Asset Inventory is updated on a continuous basis.
• Manage the design and operation of related compliance monitoring and improvement activities to ensure compliance both with internal security policies etc. and applicable laws and regulations
• Conduct compliance reviews of live systems to enforce compliance with organization security policies and standards on a regular basis and maintain list of non-compliance issues and feed into the technology risk management program
• Generate Monthly Compliance Reports
• Ensures that formal information access requests are dealt with according to approved procedures and are provided based on need to know.
• Develop Access Control Matrix to ensure that privileges are provided based on “business need to know” and “least privilege”
• Ensure that access-control matrix for all applications in the Bank are reviewed and documented and ensuring that they are kept up-to-date.
• Ensure that the access control matrix changes are incorporated/updated as and when the process, or people changes.
• Design, establish and maintain Business Access Profiles and control matrixes so that role based access can be provided to users
• Analyze and write specifications for the development of control tools
• Manage programmes and processes to ensure compliance with PCI-DSS ISO 27001, PCI PIN, ESCA, UAE CB requirements and other requirements that the bank need to comply
• Provide expert advice to the organisation, ensuring compliance, and conformance, on ISO27001 and, generally, on information risk analysis/management.
• Generate monthly reports on the state of compliance of organization with respect of various application regulatory requirements
• The role is responsible to managing information security strategic projects like DLP, Identity Management etc
• Keep abreast of latest security trends, regulations, advisories, alerts and vulnerabilities pertaining to Banking industry.
• Maintain up-to-date knowledge of the IT security industry including awareness of new or revised security solutions, improved security processes and the development of new attacks and threat vectors.

Requirements

Professional Qualification
Professional Certifications such as CISSP, CISA, SANS, CISM are mandatory

Experience
• The incumbent should preferably have 7-8 years of experience in a Banking industry or similar environment, e.g. a demanding service industry where employees are able to work under pressure.
• An in-depth knowledge in information security, specifically in compliance assessment, policy development, and industry standard frameworks such as ISO 27001, PCI-DSS, etc., preferably gained in the Financial Services sector; experience in service continuity would also be desirable
• Thorough knowledge of firewalls, network components such as router/switches and related protocols, intrusion prevention systems, antivirus software, web content filtering, database products; the incumbent should also have a sound understanding of the vulnerabilities in operating systems, databases and major applications and must possess the technical knowledge necessary to mitigate these vulnerabilities
• Good understanding in various security concepts like access control, physical security, operational security, management controls etc
• Experience in designing specific operational level security policies, standards and processes (like email & internet policy, password management process, etc)
• Thorough knowledge of operating systems such as Windows Server OS, Linux, Unix, Solaris, AIX, and databases such as MS SQL, Oracle, etc.
• Experience in designing and delivering solutions that deliver highly secure and available IT services in line with business requirements
• Strong awareness of application security requirements and techniques
• Knowledge and ability to apply compliance management techniques to security policy enforcement.
• Experience in developing security policies, guidelines and standards
• Experience in handling coaching / training classes
• Possess strong presentation and negotiation skills and a high aptitude to work as a lead auditor.
• Strong written and verbal communication skills in English in order to clearly disseminate security messages and practices to senior management and other staff, and for contributing to security policy and process documentation
• Experience in liaison with other departments and other stakeholders
• Extensive experience in enterprise security document creation.
• Experience in designing and delivering employee security awareness training.
• Ability to conduct research into IT security issues and products as required.
• Ability to present ideas in business-friendly and user-friendly language.
• Ability to effectively prioritize and execute tasks in a high-pressure environment

About the Company

ADCB is a full-service commercial bank offering a wide range of products and services such as retail banking, wealth management, private banking, corporate banking, commercial banking, cash management, investment banking, corporate finance, foreign exchange, interest rate and currency derivatives, Islamic products, project finance, and property management services.