Specialist: IT Governance, Risk and Compliance Specialist at Secondments

Minimum requirement

• This position requires a minimum Degree/diploma (NQF 7) in Information Technology/Information Systems or Computer Science PLUS the following certifications: 
• CISA, CISM, CRISC, CGEIT or CISSP
• COBIT Training 

Added advantage:

• Any post graduate qualification in IT, compliance or Internal/External Audit or risk management will be an advantage.
• Minimum 5 years’ experience in IT auditing or ICT governance, risk and compliance in a medium to large organisation, with 3 years managing IT audit teams and working with COBIT 19 processes.

TECHNICAL COMPETENCIES

IT governance

• Reviews information systems for compliance with legislation and specifies any required changes. 
• Responsible for ensuring compliance with organisational policies and procedures and overall information management strategy.
• Implements the governance framework to enable governance activity to be conducted.
• Within a defined area of accountability, determines the requirements for appropriate governance reflecting the organisation’s values, ethics and wider governance frameworks.
• Communicates delegated authority, benefits, opportunities, costs, and risks.
• Assists in reviews of governance practices with appropriate and sufficient independence from management activity.

IT risk management    

• The planning and implementation of organisation-wide processes and procedures for the management of IT risk to the success or integrity of the business, especially those arising from the use of information technology, inappropriate disposal of IT materials, hardware or data.
• Carries out risk management activities within a specific function, technical area or project of medium complexity.
• Identifies risks and vulnerabilities, assesses their impact and probability, develops mitigation strategies and reports to the business.
• Involves specialists and domain experts as necessary.

Information assurance    

• The leadership and oversight of information assurance, setting high level strategy and policy, to ensure stakeholder confidence that risk to the integrity of information in storage and transit is managed pragmatically, appropriately and in a cost-effective manner.
• Performs technical assessments and/or accreditation of complex or higher-risk information systems.
• Identifies risk mitigation measures required in addition to the standard organisation or domain
• measures.
• Establishes the requirement for accreditation evidence from delivery partners and communicates accreditation requirements to stakeholders.
• Contributes to planning and organisation of information assurance and accreditation activities.
• Contributes to development of and implementation of information assurance processes.

Information security governance    

• The management of, and provision of expert advice on, the selection, design, justification, implementation and operation of information security controls and management strategies to maintain the confidentiality, integrity, availability, accountability and relevant compliance of information systems with legislation, regulation and relevant standards.
• Provides guidance on the application and operation of elementary physical, procedural and technical security controls.
• Explains the purpose of security controls and performs security risk and business impact analysis for medium complexity information systems.
• Identifies risks that arise from potential technical solution architectures. 
• Designs alternate solutions or countermeasures and ensures they mitigate identified risks.
• Investigates suspected attacks and supports security incident management.

Duties and Responsibilities

KEY PERFORMANCE AREAS (KPA’s)

Strategic Function    

• Contribute to the development of IT Risk and compliance frameworks and strategies for company.
• Support the implementation of the centre Balance Score Card (BSC) initiatives.

Product Management

IT governance and risk management:

• Provide support to the senior leadership team on the service portfolio and governance requirements.
• Assess ICT general controls by conducting reviews on various aspects of information security, data privacy and business continuity. 
• Develop and implement a mitigation plan for ICT general control gaps identified during periodic assessments.
• Interpret ICT policies and contribute to development of procedures, standards and guidelines that comply with these.
• Develop and maintain a risk register that includes ICT operational, business and strategic risks. 
• Assess the impact and likelihood of identified ICT risks.

Compliance management:

• Facilitate active engagement in ICT internal control meetings focusing on identification of emerging and existing risks, escalation, mitigation and remediation to ensuring an environment of continuously improving ICT risk management and reduction of non-compliance culture.
• Identify, implement, monitor and report on IT compliance to regulatory and legislative requirements.
• Conduct regular (at least monthly) compliance assessment against ICT policies, frameworks, principles, SLAs/OLAs, processes and procedures. 
• Manage compliance using international standards, frameworks and best practices for benchmarking.

IT audit engagement management:

• Coordinate IT internal and external audit by being the intermediary between auditors and ICT teams.
• Collect and collate audit evidence in line with requests for information form audit teams.
• Review audit findings reports and provide responses to audit teams.
• Ensure audit plans, audit engagement letters and audit reports are adequately stored in the ICT GRSC repository.
• Ensure that ICT teams are aware of audit plans and focus areas.

Clean IT administration (resolution of IT audit findings):

• Review IT audit reports and follow up with IT audit findings owners in respect of actions to close the findings.
• Facilitate the resolution of audit / compliance exceptions
• Ensure that the findings from any security assessment are rectified in a timely manner.
• Conduct on-going monitoring and evaluation of ICT processes, procedures and operations to identify and manage ICT risks.
• Monitor and track ICT risk mitigation actions until resolution and within agreed timelines.

Education and awareness:

• Provide support to the IT management in awareness activities in respect of IT governance, risk and compliance requirements.
• Ensure that applicable IT policies, processes and procedures are adhered to through regular training and awareness campaigns.
• Provide support to the IT management in awareness activities in respect IT audit processes

Reporting:

• Tracks and reports on risk management trends, opportunities and remediation and provides monthly reports / updates to the leadership team.
• Create and maintain reporting, problem resolution, and other tasks necessary to continuous improvement and evolution of ICT risk management and compliance services.

Stakeholder Management    

• Establish, build and maintain collaborative working relationships with relevant internal and external stakeholders.
• Build and maintain positive and value-adding relationships with relevant external stakeholders.
• Scan the environment to ensure a clear understanding of stakeholder needs.
• Work in collaboration with colleagues in the centre to ensure timeous delivery of the work.

People Management    

• Manage own performance. 
• Participate in the BU’s transformation, culture, and diversity and employment equity initiatives.
• Commit to continuous learning and advancing of one’s skills so as to remain abreast with industry trends.
• Willing to work extra hours.

Financial management and operational management    

• Contribute to the compilation of centre budget, and manage project expenditure related to functional area.
• Ensure compliance to the organisation’s governance processes, policies and processes. 
• Manage supply chain processes within own functional area.

Other responsibilities (Applicable to All JD’s)    

• Perform and/or manage other projects, tasks and assignments delegated by the senior manager not stipulated in the role profile description as and when required.