Business Information Security Officer at Santam Insurance

KEY RESPONSIBILITIES

• Establish and manage a Santam Business Unit (SBU) Information Security Programme.
• Implement cybersecurity awareness campaigns.
• Participate in Group Information Security Programme (GISP) initiatives.
• Information Security Governance and Assurance.
• Document processes and artefacts that prove that the relevant governance and assurance processes were implemented as designed.
• Information Security Incident Response and Cyber Crisis Management.
• Application (including cloud), Infrastructure Security, and Cybersecurity Education, Training and Awareness.
• The BISO will implement processes and controls as agreed with the Group Information Security Officer (GISO), GISP and the Group CIO.
• The BISO will be responsible for the quality and cost-effectiveness of information security services delivery in the SBU and will report on these metrics to the GISP and GISO.
• Provide regular feedback to Santam Manco on Group-wide information security issues.
• The BISO will report to the GISO on new initiatives, plans, and progress, which will be discussed with the Group Information Security Committee.
• Review and improve existing IT and Information Risk assessment, reporting and management practices.

KEY RESPONSIBILITIES

• Update the Santam IT and Information Security Risk register.
• Document a security risk management action plan. This must include the relative priorities of agreed-upon actions, ownership of the actions, and agreed-upon timelines.
• Priorities will be aligned to Santam and GISP priorities. The BISO must have an action plan to implement these initiatives in Santam.
• Up to date and complete Santam cloud technology outsourcing and third-party register (where applicable).
• Review and respond to PSPG and risk acceptance requests within the agreed time.
• Clear and timely communication to management and users regarding planned group awareness campaigns.
• Risk assessment that identifies a requirement for additional awareness or targeted education, training, and awareness interventions.
• Alignment with the Group's annual security education, training and awareness plan.
• Document the logical access review schedule for Line of Business Applications, review the results, facilitate resolution, and report on the progress made in resolving issues identified during the reviews.
• Review and respond to all security-related audit findings.
• Report all cyber security incidents, or information security incidents (including privacy-related incidents) where the compromise was through technology to the Sanlam Group Technology (SGT) CSIRT.
• Be a primary contact for cybersecurity incidents identified by the SGT CSIRT.
• Ensure appropriate actions are taken when policy breaches are identified in the SBU.
• Assist by facilitating engagement and communication with key stakeholders in the Santam during a major incident.
• Produce Quarterly Group ISO Forum and GISP reports.
• Ensure that security 'gates' are a formal part of the SDLC/ Agile/ relevant solution development methodology.
• Interventions and role-players must be clearly specified.
• Active participation in Sanlam-sanctioned industry bodies (e.g. ISF Live, ISACA, FS-ISAC)
• Timeous escalation of new, high or escalating cybersecurity risks.
• Engage with application owners and the Group Cyber Security Centre (GCSC) Operations Team to ensure that system vulnerabilities identified during penetration tests, Red Team exercises, or vulnerability scans are addressed.
• Ensure that the Group CIO is aware of risks and actions required.
• Facilitate workshops and risk documentation during Control Self Assessments or Crown Jewel Risk Assessment processes.
• Find & provide root cause analysis and implement permanent and/or long-term fixes for cyber-related incidents.
• Strong understanding of integration between Workstations and Network/Servers.
• Installations and monitoring of devices using automated tools (e.g. SCCM) & scripting.
• Responsible for maintaining a configuration register of assets and licenses.

QUALIFICATIONS AND EXPERIENCE

• Bachelor’s Degree or Diploma in Computer Science, Information Systems or other related field, or equivalent work experience
• Minimum 7 years of relevant experience
• Cyber and information security certifications (such as CISM, CISSP, CCSP, CISA, ISO 27000 Lead Implementer/ Auditor) are in force. If the candidate does not possess such certifications, evidence is required that the candidate is studying toward them.