Deputy Director: IT Risk at The Government Pensions Administration Agency (GPAA)

Qualification/s Requirements

• A relevant three-year National Diploma/Degree or equivalent three-year qualification (at least 360 credits) with six (6) years appropriate proven experience in the Finance environment with three (3) years in management or middle management experience. Computer literacy which includes a good working knowledge of Microsoft Office products. 

Key Performance Areas

The successful candidate will be responsible for: 

• Provide risk management services to the ICT Chief Directorate. Provide risk training to the GPAA staff. Monitor compliance regarding risk related matters. Co-facilitate risk awareness programmes with stakeholders. Implement risk awareness programme for the ICT Chief Directorate. Manage centralised risk management software. Provide advice regarding risk related matters and emerging risks. Develop and implement risk action plans for business units to manage risks effectively. Liaise with external and internal auditors. Develop risk mitigation strategies to manage risk exposure. Provide support for the ICT Risk Champions. 
• Monitor and evaluate the management and functioning of ICT operations. Monitor ICT security and standards with all stakeholders (SITA, Service Providers, etc.). Advice on ICT security requirements specifications. Monitor the maintenance of security breach records. Monitor ICT security compliance in all areas. Monitor disaster prevention and recovery processes and backup. Monitor compliance with all ICT procedures, standards, and policies on procurement of ICT equipment. Assess the reliability of existing ICT controls against the required standards. Monitor the ICT systems and controls to identify potential risks. Evaluate identified ICT risks and escalate where required. Communicate with all stakeholders on a regular basis regarding identified risks. Conduct regular ICT security systems audits. Keep abreast of changes in relevant guidelines and other legislation, to make recommendations regarding governance documents may need to be amended. Ensure maintenance of the risk management software, upgrades, engagement with the service provider and/or ICT stakeholders. 
• Manage the implementation of risk methodologies, policies, processes, and framework within the ICT Chief Directorate. Monitor the implementation of the risk management plan and align with the GPAA’s overall outcomes. Monitor the effectiveness of risk mitigation strategies on an ongoing basis and make recommendations to review and amend where required. Ensure that ICT risks are identified and assessed. Facilitate and monitor the implementation of the risk awareness and training plan. Comply with legislation and adjust strategies, plans and procedures accordingly. Identify gaps in policies and procedures and establish mechanisms to alleviate these. Report back to key internal stakeholders at regular intervals to ensure that strategy is fit for purpose. Exercise delegated countersigning authority on the loss control form.
•  Monitor ICT compliance with risk control measures. Monitor patch management of systems, anti-virus and applications. Monitor the upgrading of IT security anti-virus software. Monitor system logs for breaches of security and initiates remedial actions. Monitor the adherence of security standards by all stakeholders. Attend to ICT related committees and provide the required reports to the relevant structure/s. Track and monitor the ICT risk action plans, compliance with the SLAs and key risk and performance indicators. Oversee the training in the use of risk management tools and techniques. Manage the central risk programme. Provide risk assurance on business process. Provide guidelines for ICT to ensure that the Chief Directorate’s strategy incorporates risk management principles. Proactively monitor and manage identified risks to minimise risk exposure. Ensure the undertaking of ICT risk assessments to determine the GPAA’s risk exposure. Report on risk action plans monthly including for Modernisation. Report on key risk indicators and/or performance indicators as required.