Senior Manager Information Security (SMIS)
JOB PURPOSE
Reporting to the Executive Director, this role will be responsible for the bank's information security, balancing strategic leadership with technical oversight and ensuring compliance with regulations and standards.
The role holder will be expected to ensure development and maintenance of the Bank's information security vision, strategy, and programs. Safeguard the Bank's data, intellectual property, financial assets, technological infrastructure and client information from cyber threats while ensuring compliance with regulatory requirements, industry standards, and best practices. The Senior Information Security Manager will also work closely with the executive team to promote a strong culture of security awareness throughout the organization, identify risks, establish policies, and oversee the Bank’s information security operations, incident response, and cybersecurity resilience.
KEY RESPONSIBILITIES:
- Cybersecurity Program Development and Enforcement
- Develop, implement, and monitor the Bank’s cybersecurity program in alignment with industry standards and regulatory requirements.
- Oversee and implement the Bank’s cyber and technology policy to ensure compliance with regulatory and institutional standards for data protection, cybersecurity controls, and incident response.
- Regularly review and update the cybersecurity program and policies to reflect the latest threat intelligence, industry trends, and regulatory requirements.
- Comprehensive Asset and Infrastructure Management
- Ensuring that the institution maintains a current enterprise-wide knowledge base of its users, devices, applications, software licenses and their relationships, including but not limited to: Software and hardware asset inventory; Network maps (boundaries, traffic and data flow); and Network utilization and performance data to ensure complete visibility over information resources.
- Oversee the continuous management of software and hardware asset inventories, network maps, and performance data to prevent unauthorized access and identify vulnerabilities.
- Implement continuous monitoring and risk-based auditing of information assets and network infrastructure, ensuring a robust security posture across all systems.
- Alignment with Strategic and Operational Objectives
- Ensure the Bank’s information systems and cybersecurity initiatives align with business strategies, risk appetite, and ICT risk management policies.
- Develop and implement user-centric security controls designed to meet the needs of internal users (management and staff) and external stakeholders (contractors, partners, and service providers).
- Collaborate with executive management to ensure the ICT strategy, including information systems and cybersecurity measures, supports the Bank’s overall business strategy and regulatory obligations.
- Risk Assessment, Incident Detection, and Response
- Ensure that regular, comprehensive cyber risk assessments are conducted, applying best practice and industry standards to evaluate emerging threats and vulnerabilities in the IT environment.
- Establish processes for proactive monitoring and timely detection of cyber and technology events or incidents, with a robust incident response plan in place.
- Regularly update the incident response mechanism and Business Continuity Plan (BCP), incorporating scenario analyses to evaluate potential material cyber-attacks and identify control gaps.
- Policy Compliance, Exception Management, and Reporting
- Review and assess risks related to any deviations or exceptions to approved cyber and technology policies, obtaining senior management approval as needed.
- Reporting to the Executive Leadership and the Board on an agreed interval but not less than once per quarter on the following: Assessment of the confidentiality, integrity and availability of the information systems in the institutions; detailed exceptions to the approved cyber and technology policies and procedures; assessment of the effectiveness of the approved cybersecurity program; and all material cyber and technology events that affected the bank during the period.
- Ensure prompt periodical reporting to the regulator as required by relevant regulations
- Regularly re-evaluate exceptions to ensure residual risks remain within acceptable thresholds as determined by the institution and regulatory bodies.
- Cybersecurity Training and Workforce Development
- Lead the organization of professional cybersecurity-related training for Bank employees to enhance technical proficiency, ensuring alignment with the best practice standards and regulation.
- Cultivate an institution-wide cybersecurity culture that promotes awareness and best practices, engaging staff at all levels on the importance of security compliance and vigilance.
- Ensure the roles and responsibilities of managing cyber risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff.
- Cybersecurity Monitoring, Incident Detection, and Business Continuity
- Implement continuous monitoring mechanisms for IT systems to detect cyber incidents promptly and ensure frequent data backups to secure storage for data integrity and accessibility.
- Review periodically the approved exceptions/deviations to ensure the residual risks remain at an acceptable level.
- Ensure timely update of the incident response mechanism and Business Continuity Plan (BCP) based on the latest cyber threat intelligence gathered.
- Continuously test disaster recovery and Business Continuity Plans (BCP) arrangements to ensure that the institution can continue to function and meet its regulatory obligations in the event of an unforeseen attack through cyber-crime.
- Ensure frequent data backups of critical IT systems (e.fg. real time back up of changes made to critical data) are carried out to a separate storage location.
- Data Integrity, Confidentiality, and Availability
- Safeguard the confidentiality, integrity, and availability of information assets by implementing robust security controls, regularly assessing their effectiveness, and adapting to emerging threats.
- Manage and lead a team of security professionals. Coach, and mentor team members, ensuring capabilities as a team
DAILY RESPONSIBILITIES:
- Security Monitoring and Oversight
- Review daily security dashboards and incident alerts (from SIEM, firewalls, antivirus, DLP, etc.)
- Assess any critical vulnerabilities or system anomalies flagged by the security operations center.
- Approve or escalate incident response actions and ensure proper documentation
- Monitor threat intelligence feeds and assesses relevance to the Bank’s environment.
- Lead and oversee the response to security incidents or breaches.
- Ensure root cause analysis is performed and lessons are documented, communicate incident status and actions to senior management and regulators if necessary.
- Communicate incident status and actions to senior management and regulators if necessary
- Review open audit and risk issues related to information security
- Validate that controls are effective, and evidence is maintained for regulators
- Approve or advise on risk exceptions, policy deviations or emergency changes
- Ensure compliance with regulatory requirements (Bank of Uganda, ISO/IEC 27001, PCI, DSS)
- Review and sign off security requirements for ongoing IT and business projects
- Update policies and standards as needed
- Plan for upcoming audits, penetration tests or regulatory reviews
- Leadership, Coordination, and Advisory
- Hold daily or weekly briefings with information security, IT and risk teams
- Provide directions to SOC analysts, network security and governance staff
- Approve access control changes or privileged user reviews for critical systems
- Advise executive management of emerging cyber risks and business impacts
- Review and contribute to new digital initiatives (mobile banking, APIs, cloud adoption) to ensure security is embedded
- Prepare review reports for the Senior Management or the Board Risk Committee
- Awareness, Culture Building, and Training
- Drive staff awareness programs on phishing, password hygiene and data protection
- Ensure training plans for the security team are on track
- Engage departments on compliance with security policies and procedures
- Track cybersecurity user awareness and training completion
- Administrative Oversight and Performance Tracking
- Manage security budgets, vendor contracts and service level reviews
- Track security KPIs (patch compliance, incident detection level and resolution time, audit closure rate, Cybersecurity program compliance, Risk assessment completion and vulnerability management (closure and tracking), Cybersecurity user awareness and training completion, Effectiveness and efficiency in reporting)
