Chief Information Security Officer at Electronic PayPlus Limited

OVERVIEW

• Ensure full compliance with PCI DSS physical security requirements covering CCTV, physical Access control systems, network systems and servers, and monitoring of internal and external security systems/structures, high security area, card production staff, security guards/operatives, visitors.
• Enforce a need-to-be-there policy for all visitors and contractors.
• Apply preventive controls review and ensure all card manufacturing and card personalization operatives comply with PCI Card Production Physical Security Requirements over staff access and movement to mitigates financial losses associated with non-compliance
• Effectively monitor, acknowledge, and log alarms when triggered by any event including DOTL (Door Open Too Long), Body Count, Dead-man, Alarm, Panel Fault Alarm, and Device Fault Alarm, Access Control System – Alliance Server.
• Ensure that the access control system is reviewed weekly and audited quarterly by Internal Audit and Compliance Department for compliance.
• Meets system security financial objectives by forecasting requirements; preparing an annual budget; scheduling expenditures; analysing variances; initiating corrective actions.\r\n• Protects computer assets by developing security strategies, directing system control development and access management, monitoring, control, and evaluation.
• Establishes system safeguards by directing disaster preparedness development, conducting preparedness tests.
• Develops security awareness by directing development of orientation and training programs, counselling clients.
• Advises senior management by identifying critical security issues, recommending risk-reduction solutions
• Updates job knowledge by participating in educational opportunities; reading professional publications; maintaining personal networks; participating in professional organizations; coordinating hardware and software evaluations with vendors.
• Accomplishes system security and organization mission by completing related results as needed
• Provide evidence of work done periodically for Executive Director\'s review weekly

LOGICAL SECURITY AND RISK MANAGEMENT\r\

• Ensure external network vulnerability scan are carried out quarterly and after any significant change in network or change by internal staff and using a PCI DSS approved scanning vendor (ASV) approved and penetration test.\r\n• Document, track and prioritize all findings and work with IT Team to initiate corrective action to vulnerabilities within two working days of discovery and retain evidence of successful remediation for future reference.
• Review critical patch updates for vulnerability before updating the patch on all critical systems
• Ensure internal and external penetration tests are done at least once a year on the network layer, all personalization network components, and operating systems and after any significant infrastructure changes using a PCI DSS approved scanning vendor (ASV) approved and penetration test.
• Document, track and prioritize all findings and initiate corrective action to vulnerabilities within two working days of discovery and retain evidence of successful remediation for future reference.\r\n• Ensure that intrusion detection systems (IDS) use for network traffic analysis covers all traffic generated by machine used within the personalization network, data preparation network, personalization network traffic, cloud-based provisioning network, IDS from DMZ, firewalls and public-facing interfaces or servers where cardholder data is decrypted.\r\n• Put in place and present for independent review all evidence of preventive measures, when requested by the Management and other stakeholders.
• Ensure full compliance to PCI DSS on management of ZMK (Zone Master Key) & KEK (Key Encryption Key) key loading ceremonies with evidence of audit trail of all activities.
• Log all clear key component activities with evidence. Carry out periodic review of adherence by all appointment key managers, custodians, key transfers, key destruction and key back-up and recovery.\r\n• Submit exception report to the Executive Director for corrective action. Ensure all secret data (chip personalization keys, PIN keys, CVV, CVC,CAV, CSC keys), Symmetric, private asymmetric keys and confidential data (cardholder name, PAN, expiry etc) are accorded strict confidentiality.
• Confirm that split knowledge and dual control is applied to preserve all key life cycle activities for key protection

REGULATORY AND POLICY ISSUES

• Collaborate with other internal Stakeholders to plan, prepare for and ensure smooth sail of all certification or re-certification Audit processes that requires information security reviews covering MasterCard, Verve, Visa and Internal Audit.
• Achieve system security operational objectives of the Company toward obtaining timely regulatory certification by contributing information and recommendations to strategic information security and risk functions; prepare and complete information security and risk action plans, resolving problems; completing audits; identifying trends; determining system improvements; implementing change.

Ensure negligible non-conformities.

• Carry out periodic review of all security architecture to identify potential threats, put mitigants in place and ensure security adequacy over card holder data.
• Ensure that Incidence Response Plan (IRP) is updated to all documents know or suspected compromise of classified data and un-usual activities around production equipment and operations.
• Submit monthly report of compliance to policy on critical door reviews, all remote access to the Company network/system components including policy on anti-virus software & firewalls and removable media policy. Provide weekly investigation report comprising forensic analysis with appropriate recommendations/remediation to the Executive Director.

RISK ASSESSMENT

• Conduct quarterly vulnerability and risk assessment
• Conduct bi-annual verification of IT assets in conjunction with IT and Internal Audit and Compliance departments and submit accurate reports
• Carry out Quarterly independent checks of network devices, user accounts and permission level of critical business machines; and submit report on findings.
• Review of Internal Security Manual with every new staff and conduct bi-annual/annual security awareness trainings.
• Review critical patch updates for vulnerability before updating the patch on all critical systems
• Ensure adequate incidence management and prompt resolution
• Conduct a quarterly inspection on all security devices to confirm they are working properly and submit a comprehensive report to management.
• Ensure monthly configuration review of all the Active Devices with the IT Manager.
• Review the weekly card access activities and submit report to the Internal Audit and Compliance and HR Department.
• Review key custodians’ suitability every quarter
• Monthly review of the network diagram.
• Annual test of BCP and ERP rehearsal.
•  Closure of audit non-conformity within stipulated time (MasterCard, Verve, VISA and interval audit.
• Review of the ISMS annually and compliance with the policies (clear desk policy, screen lock out etc.).
• Review network scan (GFI LAN Guard) report monthly.
• Monthly review of wireless (airtight) scan report
• Review of quarterly external network (ASV) scan with IT & IAC for quick remediation of non-conformity.
• Conduct risk assessment and submit report to MD and BOD committee.
• Attend BOD committee quarterly meetings.
• Review of the annual penetration and vulnerability test report with IT & IAC, ensuring quick remediation of non-conformity.
• Conduct security induction course for new staff.

PEOPLE’S MANAGEMENT

• Closely supervise/monitor the productivity levels of the unit’s staff to make sure that goals/targets are met.
• Report or give feedback on how the unit is or has been faring to the company’s top management whenever as required.
• Work in collaboration with other departmental managers to ensure a free-flowing process.
• Ensure excellent external customer/vendor relationship management.

REQUIREMENT

• Minimum of 7 years cognate experience
• BSc or HND in Computer Science or related discipline and any of professional certification CISSP, CISM, CISA, Cisco certification

KEY SKILLS AND COMPETENCIES

• Confidence
• Excellent technical skills
• Positive energy and agility
• Organizational skills
• Planning skills
• Interpersonal skills
• Communication skills
• Problem solving skills
• Team working skills
• Attention to details
• Understanding of the code, specification and regulations related to the payment card industry
• IT skills