To identify, prioritize, and estimate risk to NIBSS, other organizations, and the Nation, resulting from the operation and use of NIBSS information systems; facilitate implementation of effective risk management practices by operational management; intervene directly in modifying, developing the internal control and risk systems.
Serve as the primary liaison for the Chief Risk Officer (CRO) to system owners, common control providers, system security officers, information owners and stewards, mission and business owners; serve as deputy to CRO for risk management succession planning.
Emergency Management and Organizational Resilience (ER):
Actively assessing (testing and examining) business continuity, continuity of operations, crisis communications, critical infrastructure protection, disaster recovery, incident response, system contingency, occupant emergency, and other ER activities;
Reviewing, improving, and maintaining all operating procedures for testing all ER plans.
Internal Control Measures:
Intervene directly in modifying and developing the internal control and risk systems; evaluating incident details, trends, and handling for incident response;
Developing and maintaining operating procedures for risk management activities, particularly for providing management assurance at the enterprise and processes tiers of the risk management framework;
Reviewing and improving operating procedures for implementing all organizational policies. Support the continuous process improvement of Management Systems for business continuity (BCMS), information security (ISMS), and IT Service Management (ITSMS).
Identify risks to NIBSS (including its missions, functions, image, and reputation), assets, individuals, other organizations, the Nigerian Payment System, and the Nation, resulting from NIBSS operations; incorporate threat and vulnerability analyses, analysis of privacy-related problems, and mitigations provided by internal controls;
Conduct process risk assessments for the 18 baseline policy domains and for the underlying processes of all high-risk threat areas in the program plan, including product development, financial management, project and contract management, and operations management processes.
Key Responsibilities Correct execution of processes and tasks for Management Assurance:
Actively assess (testing and examining) business continuity, continuity of operations, crisis communications, critical infrastructure protection, disaster recovery, incident response, system contingency, occupant emergency, and other emergency and resilience procedures.
Review, improve, and maintain all operating procedures for maintaining and testing all emergency and resilience procedures, support security testing of software, systems, and services.
Intervene directly in modifying and developing internal controls and risk management systems; and evaluating incident details, trends, and handling for incident response.
Develop, implement, and maintain policies and operating procedures for risk oversight.
Support the continuous improvement of all management systems.
Identify and significantly diminish variations by using statistical approaches to decrease error rates and increase quality performances (process improvement);
institute enhanced approach to software development, product management, and organizational transformation.
Correct execution of processes and tasks for Control Assessor:
Conduct a comprehensive assessment of implemented controls and control enhancements to determine the effectiveness of the controls (i.e., the extent to which NIBSS implements controls correctly, operate controls as intended, and produce the desired outcome with respect to meeting the internal control requirements for the system and NIBSS).
Assess the implemented controls using the assessment procedures specified in the security and privacy assessment plans.
Review the security and privacy plans to facilitate development of the assessment plans prior to initiating the control assessment.
Provide an assessment of the severity of the deficiencies discovered in the system, environment of operation, and common controls and can recommend corrective actions to address the identified vulnerabilities.
Prepare security and privacy assessment reports containing the results and findings from the assessment.
Correct execution of processes and tasks for Assurance Architecture:
Ensure that enterprise architecture (including reference models and internal control framework) and systems supporting mission and business processes adequately address the protection needs of stakeholders and the corresponding system requirements necessary to protect organizational missions and business functions and individuals’ privacy.
Serve as a secondary liaison between the enterprise architect and the systems security and privacy engineers and coordinate with all system owners, system security officers, and privacy officers on the allocation of controls.
Advise the Chief Information Officer, Chief Risk Officer, and other Senior Management roles on all assurance and internal control issues.
Provide assurance on the protection of information and information systems from unauthorized system activity or behavior to provide confidentiality, integrity, and availability.
Develop internal controls for privacy and provide assurance on the management of privacy risks to individuals associated with the processing of Personally Identifiable Information (PII).
Consult on information ownership or stewardship through input of subject matter expertise:
Establish policies and procedures governing the generation, collection, processing, dissemination, and disposal of NIBSS information.
Establish rules in information sharing environments for appropriate use and protection of NIBSS information and retain the responsibility when NIBSS shares or provides the information to other organizations.
Provide input to system owners regarding the internal controls for the systems where the information is processed, stored, or transmitted.
Consult on enterprise architecture through input of subject matter expertise:
Work with Executive and Senior Management and subject matter experts to build a holistic view of NIBSS missions and business functions, processes, information, and assets.
Implement an enterprise architecture strategy that facilitates effective security and privacy solutions.
Coordinate with enterprise, security, privacy, and other architects to determine the optimal placement of information systems within the enterprise architecture and to address security and privacy issues between systems and the enterprise architecture.
Assist in reducing complexity within the IT infrastructure to facilitate security.
Assist with determining appropriate control implementations and initial configuration baselines as they relate to the enterprise architecture.
Collaborate with system owners and authorizing officials to facilitate authorization boundary determinations and allocation of controls to system elements.
Assist with integration of the organizational risk management strategy and system-level security and privacy requirements into program, planning, and budgeting activities, the SDLC, acquisition processes, security and privacy (including supply chain) risk management, and systems engineering processes.
Requirements Required Qualification:
Bachelor’s degree from an accredited university. A Master degree, a postgraduate degree, or other postgraduate university education is a plus.
The ideal candidate must possess professional qualification (s) in Certified in Risk & Information System Control (CRISC), and ISO Lead Auditor or ISO Lead Implementer.
Professional qualification (s) relevant to the job will be an added advantage.
Minimum of 10 years of relevant experience related to the Job, of which at least 3 years must be in a supervisory role with direct or indirect reports.
Experience must include working knowledge of standards, guidelines, and regulatory requirements to manage enterprise risk and to improve internal controls, particularly ISO 31000, NIST 800-39, ISO 13053, and NIST 800-37.
Minimum of 1 year experience in a Security/Fraud Management role
The following professional qualifications are a plus:
Project Management Professional (PMP)
Certified Information Systems Auditor (CISA)
Certification in Risk Management Assurance (CRMA)
Functional Skills & Competency Requirements The desired candidate must exhibit competencies in the following:
Job Knowledge (i.e. applies appropriate depth and scope of professional knowledge to the job; maintain knowledge of organizational operations, policies, and procedures).
Problem Solving & Judgment (i.e. independently recognizes and diagnoses problems; compiles, analyzes, and evaluates relevant information; exercises judgment in reaching logical conclusions and follows through with timely action;
Customer Service Skills (i.e. develops and maintains positive internal and external customer relationships; demonstrates competence in listening, understanding, anticipating, and/or resolving customer needs promptly;
Initiative & Reliability (i.e. demonstrates originality, versatility, and independent action in executing assigned functions, learning new techniques, and applying new and learned techniques to work assignments; meets obligations within agreed-upon timeframes);
Communication Skills (expresses self in a clear, concise, and organized manner, both verbally and in writing).
In addition, the ideal candidate must possess competencies in the following:
Knowledge of internal business processes and proficiency in project management practices.
Ability to develop technical documentation and non-technical presentations; and, express information in a clear, concise, and organized manner, both verbally and in writing
Must be detail-oriented and possess strong organizational and project management skills with the ability to prioritize multiple tasks and projects
Must be analytical and able to analyze complex information, synthesize disparate data sources, and communicate effectively to management, operational, and technical personnel.
Must be able to work independently and make decisions regarding complex issues with appropriate consultation of peers, cross-functional teams, and supervisors.