Manager, Information Security Compliance (UAE National)

Job Description

To develop, manage, and execute Information Security Governance, Risk and Compliance across Mashreq to

• Contribute strategically to the bank's success and enable the business and technology strategy of the bank to expand with secure and reliable service offering.
• Navigate compliance complexities and support compliance with information security requirements across regions.
• Ensure the confidentiality, integrity, and availability of our sensitive information and IT assets and a proactive approach to build a resilient security posture.
• Empower a security-conscious culture.

The Manager IS Governance, Risk and Compliance (IS GRC) has overall responsibility for information security governance, risk and compliance management and supporting Head of IS GRC to achieve organization's security strategy and goals. He / She is deputy of the Head of IS GRC.

The Manager of IS GRC is a T-Shaped expert with proven skills in most core capability areas of IS GRC: Policy, Governance and Culture, Cyber Strategy & Program Management and Risk and Compliance. She / He will actively develop his expertise and leadership in other capability areas to cover all GCR scope, including by rotating roles between the managers of IS GRC.

The Manager of IS GRC will lead a Center of Excellence in his area of primary focus and supports the growth of T-Shaped expertise in the CoE.

Performance evaluation of the role will be based on the positive impact on the bank in terms of risk reduction instead of effort put in place.

Responsibilities
Policy, Governance & Culture

• Information Security Framework, Policy, and Standards: Lead the development and implementation of a comprehensive information security framework, policies, and standards to ensure the organization's information assets are adequately protected.
• Enable the mechanism to assess, monitor and report on Implementation status.
• Ensure group practices are in line with security standards like ISO 27001, NIST and others.
• Security Governance and Reporting: Ensure preparation, delivery and follow-up of the key ISG committees, including Information Security Committee, Business Engagement meetings, ORC, BRC in quality and time. Get all pre-required reviews and approvals in a timely manner.
• Manage actions from those committees with proper tracking and timely closure.
• KPI & KRIs: Enable and monitor key security metrics, Key Performance Indicators (KPIs), and Key Risk Indicators (KRIs) as required to measure the effectiveness of the information security program.
• Cyber Culture: Promote a culture of cyber security awareness across the organization.
• Develop and deliver training programs to enhance employees' understanding of cyber threats and preventive measures.
• Facilitate and foster activities to create information security culture and behavior across the organization.
• Assure training & learning requirements are assessed for the staff and required training and awareness are captured and enabled to ensure that the organization has the necessary skills to manage cyber risks.
• Peer Security Engagement: Collaborate with peers across the organization to share and implement best practices for information security. Foster a culture of continuous learning and improvement. Develop and implement, in collaboration with FP&I, HR and Communication at minimum, a Security behavior and culture program. Update and align existing content, particularly online training, induction training to ensure continuous alignment with business needs, the internal and external threat landscape, and regulatory requirements.
• Audit Support: Enable the Information Security department in preparation for internal and external audits and be at the front-line to support audit activities. Manage internal and external audits on ISG; track and manage timely remediation.
• Drive security enhancements to ensure the organization stays ahead of peers in terms of information security posture.
• Global Support: support regional CISOs with governance activities including formulation and adherence to local policies and procedures in line with Group policies and local regulatory requirements.
• ESG (Environmental, Social, and Governance): Ensure that the organization's cyber security policies align with ESG principles. Monitor the impact of these policies on the organization's ESG performance and reporting as required.
• Help Head of IS GRC with content for management and board committees and other management submissions.

Cyber Strategy & Program Management

• Cyber Strategy: Support Head of IS GRC in developing and managing the bank's 3-year Information Security strategy. Update annually based on changes in business priorities and evolving threat and risk universe.
• Regularly review and provide feedback to improve the organization's cyber security practices, the policies and procedures to reflect changes in the cyber threat landscape.
• Cyber Planning & Budgeting: Support Head of IS GRC in budget planning and managing ISG budget and expenses globally.
• Cyber Strategic Initiative/Program Management (PM): Oversee the implementation of cyber security initiatives sponsored by Head of Information Security to ensure their success and completion in line with strategy, budget approvals and business priorities.
• Security Service Management: Manage the Information Security services related to IS GRC and review and provide feedback on other information security services from ISG to assure that these services effectively mitigate cyber risks and comply with relevant regulations.
• Cyber Workforce Alignment/Talent Management: Align the cyber security workforce with the organization's needs.
• Consult with business heads to enable BISO (Business Information Security Officer) to drive Mashreq's information security and privacy agenda within the business unit.
• Cyber Organization Alignment: Align the organization's cyber security strategies and policies with its business objectives. Ensure that all departments understand and adhere to important cyber security protocols.
• Bank's Security Posture Management and Benchmarking: Regularly assess and benchmark the organization's security posture against the industry and peers.
• Cyber Best Practice Sharing: Regularly share updates on the latest cyber security best practices. Encourage teams to incorporate these practices into their daily operations.
• Cyber Risk Quantification: Quantify the organization's cyber risks. Use qualitative or quantitative methods to assess the potential impact of cyber risks on the organization.

Risk & Compliance

• Risk Life-Cycle Management: Define risk lifecycle management process for the bank in alignment with ERM and ORM and enable the same in ISG GRC solution to support the unit.
• Act as a trusted advisor to Business when supporting risk-based decisions.
• Develop and implement, in collaboration with ERM and ORM, a Risk Appetite lifecycle framework to ensure continuous alignment with business needs, the internal and external threat landscape, and regulatory requirements.
• Assure Information Security exceptions are documented, effectively assessed and approved from respective risk owners and tracked for closure.
• Third-party Risk Management: Oversee the management of third-party risks. Ensure that all third parties that the organization deals with comply with the organization's information security requirements and in alignment with Bank's TPRM framework.
• Perform Security risk assessments as per annual plan and ensure documentation of all key risks in GRC platform for tracking and remediation tracking.
• Information Security RCSA (Risk Control Self-Assessment): Enable and monitor the effectiveness of the Information Security Risk Control Self-Assessment process to identify and manage information security risks.
• Cyber Risk Management: Manage the organization's cyber risks by having a mechanism to identify the key cyber risk to the organization and documenting and reporting to effectively track for closure.
• IS GRC Solution Management: Be the business owner of the bank's GRC platform for ISG and oversee the management of the organization's IS GRC solution.
• Enable centralized knowledgebase and GRC solution to automate Information Security activities and governance process with a centralized risk register, risk reports and dashboards related to overall risk posture for specific location and business unit.
• Ensure that the solution is effectively used to support the organization's information security governance, risk, and compliance activities.
• Support local CISO's / IS SPOCs in regulatory audit discussion and data required from ISG and enabling the local CISOs with Prism access to onboard the open issues for centralized tracking and governance.
• Internal IS Controls & Reporting: Enable Information Security control framework for the bank and provide regular reports on the effectiveness of these controls.
• Regulatory Compliance Management: Oversee the organization's regulatory compliance with respect to information security. Ensure that all regulatory requirements are identified, documented, and complied with. Oversee and assure compliance to Cyber Security Frameworks of various Central Banks including HO and International operations.
• IS Regulatory Obligation Register: Develop and maintain a register of all information security regulatory obligations. Ensure that the register is regularly updated and reviewed.
• IS Regulatory Calendar & Task Management: Manage the IS regulatory calendar and ensure that all regulatory tasks are completed on time. Identify frequency based regulatory requirements related to ISG from HO and International regions, develop and release an annual regulatory activity calendar on GRC solution for effective tracking and governance.
• Oversees and support key regulatory projects: from a 2nd line perspective to ensure the bank is compliant with key regulatory frameworks i.e. PCI-DSS, SWIFT CSP and NESA IAS (Information Assurance Standard). Identify and ensure compliance with regulatory requirements by proactive collaboration with business units and local CISOs.
• Regulatory Submission: Govern all regulatory submissions related to information security/ cyber security across the regions with supporting data required from ISG.
• Govern regulatory mandated information security / cyber security regulations and standards across the regions including cyber security framework in India, Kuwait, Egypt, NESA, SWIFT-CSP, PCI-DSS, DFS500, FFIEC, and HKMA-CFI etc.
• Update to the board of directors on NESA-IAS (Information Assurance standard) compliance annually as per the CBUAE mandate.
• Regulatory Liaising: Act as a regulatory liaison officer coordinate with government officials within central banks and other government entities to facilitate security agenda.
• IS Regulatory Watch Forum Governance and Reporting: Govern the IS Regulatory Watch Forum and provide regular reports on its activities and awareness to senior managers of the bank on potential regulatory risk.
• Cyber Insurance: Manage the organization's cyber insurance policy. Ensure that the policy provides adequate coverage for the organization's cyber risks. Evaluate and enable Cyber Risk Insurance for the bank covering head office and international operation to manage any adverse situation due to cyber risk.
• Encryption Key management be key custodian (information security officer) for critical payment system encryption keys including HSM, SWIFT and b2b connection to card brands and payment processors.

General

• Maintain a GRC roadmap and present progress bi-monthly to the Head of IS GRC.
• Demonstrate adoption of ISG vision, mission, key principles, cultural and operational objectives. Support actively key ISG transverse initiatives.
• Manage main GRC Run The Bank and Change The Bank agenda to deliver quality results, on time and budget. Escalate in advance any alert, risk, critical dependency, and issue that arise with options for their management to ensure proactive management and no surprises.
• Ensure preparation, execution and follow-up of regulatory examinations, audits, and assessment. Those reviews shall not result in any critical or high-risk issue for ISG or for ISG GRC.
• Ensure closing of all legal, regulatory and audit issues with the expected level of quality, in time and budget.

Key Principles
Alignment with Business Priorities: the Manager IS GRC aligns his actions and those of his department's with the strategic objectives of the business.

• Ownership and Accountability: the Manager IS GRC takes full responsibility for his activities and his department's, holding himself and his team accountable for their outcomes.
• Driving Security Risk Reduction: The Manager IS GRC proactively drives initiatives that reduce security risks.
• Focus on Outputs and Impact: The Manager IS GRC focuses on delivering outputs that create meaningful impact such as enhanced security culture and security posture of the bank.
• Innovation and Automation: the Manager IS GRC continuously seeks innovative solutions and automate processes for efficiency.
• Cost-Benefit Optimization: the Manager IS GRC strives to optimize the cost-benefit ratio of his and his department's actions.

Continuous Learning and Improvement: the Manager IS GRC is committed to learning from experiences and continuously improving his processes and outcomes.
Operating Environment, Framework and Boundaries, Working Relationships

• HO (Head Office) and International Regulators and Supervisors across the bank is operating.
• Information Security / Cyber Security Regulations and Industry best practices.
• All business units including LOD 1-3 including LOD1 Business, Tech GRC, Technology, LOD-2 Group Compliance, Fraud Prevention, Risk Management and LOD-3 Internal Audit.

Problem Solving

• Ability to enable framework, solution, and processes for proactive management of the Information Security risks.
• Ability to understand regulatory language, can take decision on applicability, compensating controls and residual risk.
• Ability to derive residual risk and control based on defense in depth strategy and systemic risk while taking risk and control decisions.

Decision Making Authority & Responsibility

• The Manager IS GRC is a senior officer who has overall responsibility for information security management and supporting the Head of IS GRC to achieve organization's security strategy and goals.
• Consult and validate recommendations to mitigate risks to the business and technology.
• Consult and provide recommendations to mitigate the risk to a level aligned with the risk appetite of the bank.
• Assure compliance to regulatory expectation and avoid regulatory penalty.
• Confirm adequacy of the controls against internal information security policy, standards, data privacy and local regulatory requirements.

Qualifications

• A mid senior level officer with sound knowledge and expertise in information security risk management with experience of managing enterprise projects and of direct and in-direct relationship with senior and executive management.
• Strong experience and knowledge across the Information Security and Cyber Security domains including governance, policy procedures, compliance management, risk management and security incident response etc.
• Strong experience in Banking environment with strong understanding on key security frameworks such as ISO27001.XX, NIST 800.xx, PCI-DSS, SWIFT CSP, COBIT etc.
• Strong interpersonal, analytical, and technical skills with strong in decision making and prioritization skills.
• Sound knowledge of evolving advanced tech stacks and related control and risk universe.
• Sound knowledge and expertise in conducting risk assessment.
• Have over 10+ years of rich experience in information security domain and at least 2-3 years of dedicated experience in one of the GRC domain (Policy, Governance and Culture, Cyber Strategy & Program Management and Risk and Compliance).
• Master's degree in IT/Information Security.
• Professional certifications: CISA, CISSP, PCI-QSA, SABSA etc.