It's fun to work in a company where people truly BELIEVE in what they're doing Responsible for supporting and executing the strategic direction and roadmap for improvement of IT Governance, Risk, and Compliance in line with the overall Pick n Pay Information Security Charter and key Information Security principles.
This extends to leading, implementing, and supporting the related programs of work to implement related policies, frameworks, structures, processes, controls, and technology.
It also requires managing and executing various risk management and control improvement activities in support of our business and Information and Technology Services.
This includes ensuring compliance with relevant external and internal requirements, legislation, and regulations.
This role also includes supporting and driving the ascription to relevant frameworks and related processes for the ongoing management of the IT GRC activities.
Relevant professional certification(s) such as CRISC, CISA, CISM and/or CGEIT (or similar)Minimum of 5 years' work experience in the GRC space Understanding of relevant frameworks, guidelines, and standards (specifically NIST CSF and PCI-DSS)Understanding of relevant regulatory requirements and standards such as PCI, POPI, KING, EMV, etc.
Experience PCI-DSS Assessments Experience in and strong understanding of IT Governance, Information Security, Privacy, IT Risk, Internal/External Audit related concepts Experience working in a multi-vendor and outsourced IT environment (preferred)IT Governance Maintain the overarching GRC Framework linking to the Info-Risk, Security and Privacy control frameworks, driven by the overall GRC and Information Security strategies Establish and maintain a common language with senior management and executives to ensure that GRC exposures are accurate, clear, understood, and communicated to relevant stakeholders Develop, review and support the roll-out of the relevant frameworks, policies, standards, and guidelines as well as key security and privacy controls, while ensuring alignment with the supporting IT operational processes Coordinate with Internal/External Audit and Regulatory Reviews to ensure good quality, and that actionable management comments are agreed as output from such reviews Benchmark and mature the IT control environment aligned with industry best practices to achieve agreed maturity levels Establish and oversee processes to ensure that IT operations are monitored for compliance to the applicable policies Develop, monitor, and support the reporting on Key Risk Indicators (KRIs) for each IT HOD relating to information risk, security, privacy, and compliance matters Provide support and participate in business impact analyses performed to enhance the IT Business Continuity and Disaster Recovery Plans in alignment with the overall Business Continuity efforts for the enterprise Actively promote the importance and value of good Governance, Risk and Security practices and a risk aware culture as well as support the corporate-wide User Awareness campaign, which includes developing relevant training material content as needed Be a trusted adviser to both business and IT for technology and information-related decisions Participate and provide input in various forums (such as regular Management meetings, Information Security and Risk forums, etc.), both to support oversight of operating control effectiveness and to facilitate the continuous improvement of key control measures and practices Drive operational process and performance improvements to reduce cost of failure or rework Mature and deliver Management Information Systems reporting tailored to the relevant audience (IT and business related.)Maintain up to date knowledge of GRC, Information Security and Privacy best practices, including the evaluation of relevant emerging technologies, opportunities, and threats Assist Pick n Pay subsidiaries as needed through training, consultative advice and sharing of material Provide SME support for projects and business-as-usual activities, with a specific focus on the IT Governance, Information Risk, Information Security, Privacy and Compliance related matters Information Risk Management Mature the overall Information Risk Framework to drive value not only for IT but also for the business Identify risk tolerance levels and risk appetite based on the expectations from IT and the business Perform and manage a series of internal risk assessments based on the IT landscape's potential risk exposures Perform an annual review of the current and future risk scenarios (per IT division) linked to the current IT risk appetite ensuring that this translates into the applicable roadmaps for the next financial year Track the high-impact risk exposures versus allocated budget, projects and/or BAU activities to remediate the prioritised risk exposures on a bi-annual basis Designing, drive, and monitor control remediation according to a prioritised, risk-based approach (whether project- orientated, or BAU) in collaboration with business and IT management Support the business and/ or risk owners control remediation for threats and/or exposures Manage and mature the IT Risk Register (Share Point) and Risk Dashboard (Power-BI) to enhance the management and reporting of IT-related risk exposures (including audit findings)Coordinate regular review of controls Manage and sustain the 3rd-party risk management practices, including coordinating the Data/ Information Asset Management process, and engaging with risk owners in conjunction with Legal and/or Corporate Procurement Drive security-by-design and privacy-by-design principles (especially within the project management space)Coordinate the collation of IT support to mature group cyber insurance in cooperation with Investor Relations Information Security Management Maintain the Information Security Management System (ISMS) by focusing on data protection which spans across the group and govern all business units Maintain and monitor compliance to the NIST Cyber Security Framework by evaluating the current practices against the set of security requirements Own and manage the information policies' exemption process together with the applicable IT HODs Actively promote the importance and value of good Information Security Practices Assist in developing and monitoring the execution of the annual Cyber Security Plan and Roadmap to ensure the effectiveness of the design and implementation of security controls in support of a sustainable and measurable information security effort Liaise with IT and Information Security leadership, security architecture, capacity leads of the functional areas and operational security to ensure adequate security solutions are in place throughout all systems and platforms to mitigate identified risks sufficiently, and to meet business objectives and regulatory requirements Drive security awareness and training focusing as well as maintain the Learning Management System (LMS)Coordinate an annual security incident response simulation linked to the current or new playbook ensuring that the roles and responsibilities of all role players are understood and identify any process and/or control improvement Maintain and update the Incident Response Plan in accordance with changes in business, risk, technology and people.
Coordinate the investigation of significant (high impact) security incidents or control breakdowns, perform root cause analyses, and ensure that effective improvement actions are defined, ownership assigned and ultimately implemented to reduce the likelihood of similar incidents re-occurring Support and coordinate the annual PCI/DSS re-certification process including the transition to v4 compliance Support the threat and vulnerability management, annual and ad-hoc) penetration testing to ensure that identified vulnerabilities are addressed via the risk management process Competencies: Strong interpersonal capabilities to engage senior stakeholders, business owners and risk community Have a collaborative and business enabling mindset (not purely compliance or audit)Excellent written and verbal communication skills, including the ability to report and communicate technical concepts to technical and non-technical audiences Advanced analytical and problem-solving skills, with the ability to derive practical solutions to complex problems Ability to work both independently and as part of a team (interpersonal and collaborative skills) to deliver quality work product in a timely fashion in a fast-paced environment Ability to maintain strict confidentiality A strong desire to learn and improve.
Also, must be able to quickly change own paradigms and ideas when new options or possibilities present themselves.
