Information Security Governance Practitioner

SUMMARY:
We require an Information Security Governance Practitioner to work in Cape Town.

POSITION INFO:

The role of the Information Security Governance Practitioner encompasses many activities including (but not limited to):

• Application Security (service area):

1. Assisting the architecture team of Ce-I and contracted Information Security: Technical resources and relevant stakeholders of the WCG with the creation of an application inventory (database) providing relevant security related information regarding each application.
2. Gathering all the application details and perform a security risk and business impact assessment (identify the security requirements and the existing gaps) on at least two (2) applications per month, based on agreed prioritization as set out in the departmental business continuity plans.
3. Documenting any shortcomings and developing improvement plans.
4. Conducting workshops with the respective application development teams to analyze the gaps and recommended improvements.
5. Engaging with security architecture team, at least monthly, to assist with defining and formalizing solution patterns to adhere to standards and best practices.
6. Assisting security architecture team with their role in defining security standards, requirements and reviewing of processes within the WCG Software Development Lifecycle (SDLC).
7. Selecting and customizing a methodology to establish security within the SDLC process (e.g., use of BSIMM or SAMM). The selected methodology should enable the execution of the existing secure development policy and establish a formal engagement model to discuss good security practices during the various phases of the SDLC e.g., Initiation phase, Planning Phase, Discovery Phase, Analysis phase and Close Out phase.
8. Performing a maturity assessment of the application "build shops" starting with transversal applications and expanding to other internal and 3rd party application "build shops". The Practitioner must perform a minimum of 1 (one) assessment per quarter. The assessment should produce a roadmap for the achieving maturity in line the selected methodology.
9. Reviewing, defining, and documenting improvement processes in the execution of source code management.
10. Conducting quarterly workshops to guide the application developers in the identification and the use of secure coding and code review practices.
11. Attending the periodic management committee meetings for an update on the progress in this area and escalating any decision taken.

• Collaboration & Messaging (service area):

1. Providing security review and input into the WCG social media policy.
2. Assisting with the establishment of a security governance oversight capability for social media accounts and password management.
3. Recommending areas of improvement with regards to social media use and controls related to information security such as crisis and incident management.
4. Providing security input to collaboration policies and align it with data loss prevention, IT Data Recovery Plan policies and the WCG Cybersecurity Strategy.

• Data Protection & Classification (service area):

1. Defining an approach to address Data Protection within WCG based on existing Cybersecurity Strategy.
2. Facilitating data classification workshops with data owners and departmental entities to identify data governance standards, principles, controls and data classification requirements.
3. Conducting annual risk assessments and business impact assessments to identify the critical data assets. These can be combined with other assessments described in this bid invitation.
4. Conducting workshops and facilitating information gathering sessions (in respect all new technology / software to be acquired) to define technology capabilities and requirements to ensure that relevant policies (such as policies relating to database encryption and database access management) are adhered to.
5. Providing input into the enterprise data management initiatives and providing guidance on the labelling and handling of classified information.
6. Engaging with the enterprise architecture team and providing input to be incorporated into ICT security standards.
7. Collaborating with the legal governance team (of the Department of the Premier) to establish the role of security in the privacy program and assist with the implementation of capabilities to ultimately improve compliance with the requirements of POPIA.
8. Developing a data loss prevention (DLP) strategy and roadmap for the WCG. Provide strategic guidance with the implementation of DLP controls in line with the data protection strategy and other related policies of the WCG. Assist with the development of metrics and reports that track progress with the implementation of the DLP capability across WCG.

• Endpoint Security (service area):

1. Selecting and customizing relevant Centre for Internet Security (CIS) benchmark standards for operating systems (OS) on endpoint devices and servers, DB platforms and network infrastructure.
2. Guiding respective IT areas with the implementation of the defined standards.
3. Defining endpoint protection strategy and improvement plan. This must consider the implementation of Endpoint Detection and Remediation (EDR) capability. In defining the strategy, the following must be considered:
   a) Endpoint protection controls
   b) Threat and vulnerability management
   c) Device lockdown
   d) Endpoint user account privileges
4. Monitoring the implementation of the improvement plan for efficiency and effectiveness on all user endpoints, servers and network infrastructure and database platforms such as improvements to anti-malware, encryption, endpoint application control, endpoint firewalling, OS hardening, Endpoint Defense and Response and Device lockdown.

• The Governance and Administration of Network Security (service area):

1. Assisting with the identification of metrics and development of reports that show the health status and trend analysis of the network security posture;
2. Defining an approach and processes for corporate and guest wireless network management (such as provisioning, monitoring and security configurations);
3. Preparing and giving presentations and providing feedback to the Information Security Steering Committee, Management and Operational Committee on the progress made in this domain and present matters that require executive decision-making.
4. Incorporating recommendations from architectural reviews and roadmaps into cybersecurity programme with associated resource requirements, dependencies, prioritization and governance oversight.

• Strategy Development and implementation of Identity and Access Management (1AM) (service area):

1. Developing and guiding the implementation of a comprehensive authentication strategy to formalize the patterns and plans for multifactor authentication, single sign on and digital signing of documents.
2. Developing and guiding the implementation of an authorization architecture for the protection of critical databases, applications and web services. This should include a Privilege Access Management strategy for addressing both infrastructure and application privileges.
3. Developing and defining an approach for the federation and the use of Cloud Brokers for intergovernmental (Business to Business - B2B) connections and Business to Commerce (B2C) identity and access management security services.
4. Defining an architecture and roadmap for the implementation of the Microsoft Azure Active Directory and Microsoft Identity Management solution for all user identities (in respect of both on premise and cloud resources). The solution is expected to, inter alia, provide an authoritative source of identity, provisioning of all infrastructure and application access, role-based access methods and access attestation.
5. Providing guidance and quality assurance to the WCG and Microsoft technical resources with the rollout of the Microsoft Identity Management and Azure Active Directory solution in-line with the strategic roadmaps.
6. Defining and documenting event logging and 1AM reporting standards for applications and infrastructure components to support forensic investigation requirements for secure audit logs.

• Governance & Compliance (service area):

1. Guiding the IT and architecture teams in determining the security requirements for the development and maintenance of an IT asset inventory and Change Management Database (CMDB).
2. Developing an information security scorecard with measurements metrics and reporting processes to demonstrate the business value of the Information Security Management System and Programme.
3. Assisting the WCG''s Enterprise Architecture team with the establishment of an enterprise security architecture function and framework to define the standards, patterns and roadmap to ensure a consistent approach to the implementation of security policies.
4. Defining and establishing security governance mechanisms in respect of the implementation of infrastructure and application changes to either on-premise or cloud environments.
5. Establishing a security management process to ensure the security requirements are built into tenders, contracts, and vendor management processes.
6. Assisting the Enterprise Architecture team to define and document a security architectural process that defines and assesses security requirements for technology development and acquisitions.
7. Reviewing and updating the security compliance management framework, which addresses information security aspects, to ensure compliance with legislative and regulatory frameworks.
8. Further maturing the establishment of security governance structures within the WCG to drive the security agenda and impact of information security across the departments and key parts of the WCG.
9. Updating the end user awareness strategy and programme to focus on various target audiences (such as developers, security managers and data stewards). The awareness plan must be built on policy awareness, good security practices and social engineering risks. Conduct classroom-based security awareness sessions and campaigns using an e-learning platform.
10. Defining a security service catalogue and process to integrate with IT Service Management processes (as such, among others, the practitioner is responsible for reviewing the WCG''s service catalogue and processes to determine and advise on the inclusion relevant security service elements that should form part thereof, and also recommending the removal of such elements no longer relevant).

• Physical security (service area):

1. Performing an information security-based review of the existing physical management access systems (in the CBD and WCG owned locations) and access management practices. Provide recommendations for the improvement of these systems and practices.
2. Developing a comprehensive approach and roadmap for the integration of the physical and logical access management systems to combine the physical building access control system with the identity directory services.

• Security Analytic (service area):

1. Defining and developing a Security Operations Centre (SOC) strategy and implementation plan that focuses on use cases, which documents must be aligned with departmental plans and the WCG Cybersecurity Strategy, goals and objectives.
2. Defining and developing a roadmap to integrate the WCG IT incident response system, disaster recovery and business continuity; Ians.
3. Assisting with the maturity of user behavior monitoring and cyber intrusion monitoring systems. The MS Advanced Threat Analytics must be fully integrated into the SIEM and implemented for improved monitoring, correlation, and analytics in the SIEM.
4. Identifying use cases in support of forensic and HR processes for effective threat management.

• Vulnerability Management (service area):

1. Developing a vulnerability management strategy, improvement roadmap and processes to address the vulnerabilities on the network (infrastructure, OS, databases and applications).
2. Developing a patch management strategy and improvement roadmap that covers all infrastructure, databases, applications, and endpoint devices. The strategy must cover both critical and regular patches.

Minimum Requirements: 

• Relevant tertiary qualification and/or applicable courses.
• ISACA certification (Certified Information Security Manager).
• Minimum of 5 years’ experience as a Certified Information Security Manager (CISM).
• Minimum 3 years'' experience as an Information Security Governance Practitioner or equivalent role working within the public sector.
• Must be a member of ISACA in order to have access to ISACA resources.

NB! This job is now closed. You can apply for other jobs by uploading your CV.