Information Security Governance Role - BFSI

Information Security Governance

- Maintain Information Security Management System ( ISO 27001:2013 ) Certification

- To prepare and keep all the records ready for ISMS Audits

- To coordinate with various stakeholders for completion of Audit for certification

Based on Audit recommendations or senior management review, redraft changes and seek approvals apart from periodic review for :

- IS Policy and Procedures

- Cyber Security Policy and Procedures

- Cyber Crisis Management Plan ( CCMP )

- Exception Management

- To provide exceptions for any deviations from Policy, Process, or Procedures

- Phishing Exercises

- Conduct Phishing exercises on regular basis and provide update to management

- Security Metrics

- Prepare Monthly Security Metrics and provide updates to management

- File integrity system Management

- Manage File Integrity Monitoring Solution

- Understand the Circulars & Advisories and track the action points to closure

Information Security Compliance :

- Regulatory Compliance

- Understand Circulars from RBI, CSITE, NCIIPC,IBA, etc.

- Derive action points from Circulars and share compliance reports with Regulatory bodies

- To ensure compliance of various circulars or advisories provided by Cert-In and RBI, relating to Application Security, VA or PT

- To prepare and keep all the records ready for Internal Audits, IS Audits, IT Audits, Statutory Audit, Cyber Security Insurance Questionnaire and Certification Audit

- To Coordinate with various stakeholders to ensure timely response and closure of observations

InfoSec Awareness, Education and Training:

- Evaluate general and specific training needs

- To prepare and conduct the employee training Program about IS Policy, Cyber Security, PCI DSS, ISMS and other such processes

- To spread information security awareness and educate customers by sending periodic mailers, SMS, Mobile notifications etc.

Application Security Management :

- Understand the current setup of the Bank's information security policies, procedures and setup

- Knowledge of Application Security Testing of given technology on ad hoc basis

- Knowledge of analyzing VA and PT reports

- Knowledge of performing analysis on any suspicious activity or incidents

- Engage and be a member of security tech forums, avail security alerts, and threats with cyber security organizations for latest information

- Contribute for periodic review and update Application Security Life Cycle and Application/API Security checklists, for adoption by the application teams.

- Contribute by review and provide recommendations on the application checklists submitted by project teams identifying risks and providing recommendations.

InfoSec Training, Awareness & Education :

- Work on information security awareness initiatives and training programs

- Evaluate general and specific training needs

- Prepare and contribute towards corporate InfoSec awareness program

Data Protection & Privacy :

- Understand the concepts of data protection that includes Personally Identifiable Data (PII) and card data

- Implement compliance with PCI DSS version 3.2.1 requirements

- Engage with key stakeholders like application development and support teams for building appropriate controls

- Engage with Business, Analytics, HR, Legal and Compliance to coordinate and guide them for implementation of data protection and privacy policies, SOPs

- Contribute in development and maintenance of Privacy policy for the organization

- Perform Privacy Impact Assessment on an ongoing basis and actively help organization to be compliance

Contribute in all areas of data protection for achieving and maintaining compliance such as PCI DSS, GDPR and other privacy laws, as applicable