Business Information Security Officer

**CAREER OPPORTUNITY**
- Santam BITS has a career opportunity for a senior role of Business Information Security Officer (BISO) in the Business Information and Technology Services (BITS) department which will be based in the Western Cape or Gauteng.

**KEY RESPONSIBILITIES**
- Establish and manage a Santam Business Unit (SBU) Information Security Programme.
- Implement cybersecurity awareness campaigns.
- Participate in Group Information Security Programme (GISP) initiatives.
- Information Security Governance and Assurance.
- Document processes and artefacts that prove that the relevant governance and assurance processes were implemented as designed.
- Information Security Incident Response and Cyber Crisis Management.
- Application (including cloud), Infrastructure Security, and Cybersecurity Education, Training and Awareness.
- The BISO will implement processes and controls as agreed with the Group Information Security Officer (GISO), GISP and the Group CIO.
- The BISO will be responsible for the quality and cost-effectiveness of information security services delivery in the SBU and will report on these metrics to the GISP and GISO.
- Provide regular feedback to Santam Manco on Group-wide information security issues.
- The BISO will report to the GISO on new initiatives, plans, and progress, which will be discussed with the Group Information Security Committee.
- Review and improve existing IT and Information Risk assessment, reporting and management practices.

**KEY RESPONSIBILITIES**
- Update the Santam IT and Information Security Risk register.
- Document a security risk management action plan. This must include the relative priorities of agreed-upon actions, ownership of the actions, and agreed-upon timelines.
- Priorities will be aligned to Santam and GISP priorities. The BISO must have an action plan to implement these initiatives in Santam.
- Up to date and complete Santam cloud technology outsourcing and third-party register (where applicable).
- Review and respond to PSPG and risk acceptance requests within the agreed time.
- Clear and timely communication to management and users regarding planned group awareness campaigns.
- Risk assessment that identifies a requirement for additional awareness or targeted education, training, and awareness interventions.
- Alignment with the Group's annual security education, training and awareness plan.
- Document the logical access review schedule for Line of Business Applications, review the results, facilitate resolution, and report on the progress made in resolving issues identified during the reviews.
- Review and respond to all security-related audit findings.
- Report all cyber security incidents, or information security incidents (including privacy-related incidents) where the compromise was through technology to the Sanlam Group Technology (SGT) CSIRT.
- Be a primary contact for cybersecurity incidents identified by the SGT CSIRT.
- Ensure appropriate actions are taken when policy breaches are identified in the SBU.
- Assist by facilitating engagement and communication with key stakeholders in the Santam during a major incident.
- Produce Quarterly Group ISO Forum and GISP reports.
- Ensure that security 'gates' are a formal part of the SDLC/ Agile/ relevant solution development methodology.
- Interventions and role-players must be clearly specified.
- Active participation in Sanlam-sanctioned industry bodies (e.g. ISF Live, ISACA, FS-ISAC)
- Timeous escalation of new, high or escalating cybersecurity risks.
- Ensure that the Group CIO is aware of risks and actions required.
- Facilitate workshops and risk documentation during Control Self Assessments or Crown Jewel Risk Assessment processes.
- Find & provide root cause analysis and implement permanent and/or long-term fixes for cyber-related incidents.
- Strong understanding of integration between Workstations and Network/Servers.
- Installations and monitoring of devices using automated tools (e.g. SCCM) & scripting.
- Responsible for maintaining a configuration register of assets and licenses.

**QUALIFICATIONS AND EXPERIENCE**
- Bachelor’s Degree or Diploma in Computer Science, Information Systems or other related field, or equivalent work experience
- Minimum 7 years of relevant experience

**COMPETENCIES**
- High Stress Tolerance.
- Building and maintaining relationships.
- Teamwork and ability to function independently.
- Facilitation Skills.
- Adaptability.
- Attention to detail.
- Planning and organising.
- Ability to work independently.
- Interpersonal savvy.
- Decision quality.
- Plans and aligns.
- Optimises work processes.
- Being resilient.
- Collaborates.
- Cultivates innovation.
- Customer focus.
- Drives results.
- ADDITIONAL COMPETENCIES AND SKILLS- Honesty, integrity, and respect.
- Positive, enthusiastic, can-do attitude.
- Ability to work under pressure and long hours.
- Ability to co-operate and thrive both within an independent and team environment.
- Project Management.
- Re