Mission:
- Responsible for the definition of MTN Nigeria information security policy, embedding security policy into operations, leading security risk assessment efforts, and associated controls and reporting in line with MTN Nigeria policies.
- Drive effective coordination and closure of all information security compliance activities, including control tracking and actual submissions for closure.
Description:
- Identify, assess, and evaluate risk to enable the execution of the enterprise risk management strategy.
- Collect information and review documentation to ensure that risk scenarios are identified and evaluated.
- Identify legal, regulatory, and contractual requirements and organizational policies and standards related to information systems to determine their potential impact on business objectives.
- Identify potential threats and vulnerabilities for business processes, associated data, and supporting capabilities to assist in the evaluation of enterprise risk.
- Create and maintain a risk register to ensure that all identified risk factors are accounted for.
- Assemble risk scenarios to estimate the likelihood and impact of significant events on the organization.
- Analyze risk scenarios to determine their impact on business objectives.
- Develop an information security strategy aligned with business goals and objectives and ensure alignment of the information security strategy with corporate governance.
- Correlate identified risk scenarios to relevant business processes to assist in identifying risk ownership.
- Validate risk appetite and tolerance with senior leadership and key stakeholders to ensure alignment.
- Interview process owners and review process design documentation to gain an understanding of the business process objectives.
- Analyze and document business process objectives and design to identify required information systems controls.
- Facilitate the identification of resources (e.g., people, infrastructure, information, and architecture) required to implement and operate information systems controls at an optimal level.
- Ensure all controls are assigned control owners to establish accountability and establish control criteria to enable control life cycle management.
- Establish internal and external reporting and communication channels that support information security.
- Design and implement information systems controls in alignment with the organization’s risk appetite and tolerance levels to support business objectives.
- Facilitate the identification of metrics and key performance indicators (KPIs) to enable the measurement of information systems control performance in meeting business objectives.
- Develop and implement risk responses to ensure that risk factors and events are addressed in a cost-effective manner and in line with business objectives.
- Identify and evaluate risk response options, and provide management with information to enable risk response decisions.
- Review risk responses with the relevant stakeholders for validation of efficiency, effectiveness, and economy.
- Monitor and maintain information system controls to ensure they function effectively and efficiently.
- Plan, supervise, and conduct testing to confirm the continuous efficiency and effectiveness of information systems.
- Ensure that all IT policies and procedures are compliant with regulatory requirements.
- Assess and recommend tools and techniques to automate information systems control verification processes.
- Evaluate the current state of information systems processes using a maturity model to identify the gaps between current and targeted process maturity.
- Determine the approach to correcting information systems control deficiencies and maturity gaps to ensure that deficiencies are appropriately considered and remediated.
- Test information systems control to verify effectiveness and efficiency prior to implementation and Implement information systems controls to mitigate risk.
- Facilitate independent risk assessments and risk management process reviews to ensure they are performed efficiently and effectively.
- Identify and report on risk, including compliance, to initiate corrective action and meet business and regulatory requirements.
- Coach and train the team to ensure understanding of the objectives and goals of the department, awareness of set targets and requirements, and regular review of their training needs.
- Review the performance of individual team members and complete appraisals in accordance with the employee performance appraisal procedures and time schedules.
Education:
- First degree in computer science, information technology/systems, or a related field.
- A master’s degree in a related field will be an added advantage.
- CISA, CGEIT, CISM, CRISC, COBIT, and ISO 31000
- Fluent in English
Experience:
6–13 years’ experience, which includes:
- A minimum of 3 years’ experience in an area of specialization, with experience in supervising or managing others
- Experience working in a medium- to large organization
- Interpretation and application of governance, risk, and compliance frameworks
- Advanced knowledge of risk assessment design and delivery
- In-depth understanding of PCIDSS, ISO 31000, ISO 27001:2019, and cybersecurity frameworks, including but not limited to NIST, CIS, etc.