IS SECURITY & GOVERNANCE– GRC Security Analyst
EcoCash Holdings
Total years of experience :4 years, 1 Months
Assist Ecocash Holdings' Information Security efforts through identifying potential technology risks, designing, acquiring and maintaining security and governance systems in line with set performance standards. Duties:
• Reviewing all Technical Services action plans to ensure adherence to Policies and Processes, Best practices, and Technology Services Governance frameworks
• Executing and following up on internal and external IT-specific audit engagements
• Aligning IT processes with all government and corporate policies and regulations
• Designing, implementing, and testing of business processes.
• Developing and implementing robust information governance processes, policies, and practices
• Developing and reviewing Technical Services policies
• Implementing and ensuring operational effectiveness of IT general controls.
• Developing and maintaining the Technical Services Governance Framework
• Reviewing the Technical Services Operations within all the pillars and reviews process SLAs and efficiency.
• Leading and conducting quarterly access reviews on systems, databases, and operating systems.
• Leading Cyber -Security Awareness campaigns as when needed
• Tests compliance with SLA's / KPIs as documented and recommend improvements.
• Evaluates Technical Services projects in line with IS goals and processes that are aligned to business goals.
• Conducts ad hoc security or vulnerability checks on systems in line with Technology Services policies and procedures and potential threats. Achievements at Ecocash Holdings:
• Developed Policies, Standard Operating Procedures (SOPs) and process documents for the IS Technical Department.
• Reviewed and developed IS Policies and procedures and Business Continuity Policies and procedures in line with the ISO Information Security Management System (ISMS) and Business Continuity Management System (BCMS) Certification Audit.
• Part of the ISO 22301 and ISO 27001 Project Team
• Created and executed an awareness plan for dissemination of IS Policies to all employees.
• Conducted and documented the Business Impact Analysis for the ISO 22301 project.
• Conducted a successful ISO awareness trainings and campaigns ahead of the ISO 22301 and ISO 27001 certification audits.
• Conducted and assisted in successful cyber security trainings and awareness initiatives within the organisation.
• Document control and audit coordination for the ISO 22301 Audit and ISO 27001 recertification audit
• Organised ISMS and BCMS workshop to foster ISO 22301 Audit and ISO 27001 culture within the organisation
• Developing an understanding of Grant Thornton methodology and tools
• Responsible for planning, scoping for the external IT audits. These covers defining the scope of work and communicating it to the relevant stakeholders. Drafting budgets for the assignments.
• Working with assigned team members and client personnel to plan assignment strategy, define objectives, and address technology-related controls risks and issues.
• Execution of IT audits, application control reviews, completion to the reporting stage for clients in various industries.
• Building and managing excellent client relationships.
• Performed, reviewed application controls (automated controls) validation for various business cycles.
• Lead engagements on IT general controls work, application controls and data analytics for external audit clients.
• Applying knowledge of IT trends, systems, and processes, evaluate findings for significance and risk, and develop recommendations for improvement based on leading practice.
• Present audit report to the audit clearance committee.
• Holding meetings with banks to understand their business, the IT environment, and their expectations.
• Conducting review of general IT controls over various system layers’ application, database, and operating system.
• Ensured assignments are run within budget, time, and resource requirements.
• Interact with the client to make sure the flow of communication of the audit team and the client is professional, efficient so that different team members do not end up asking for the same thing from the client.
Achievements at Grant Thornton which resulted in raising its Global Cyber Security Review (GCCR) ratings by 10%:
• Prepared security awareness and training policy, phishing simulations for all Partners and employees, with appropriate follow-up training as needed.
• Documented security awareness plan and ensure that all new joiners, including contractors and leadership team, complete information security training within 60 days of joining the firm.
• Prepared, updated and testing of Business Continuity, Disaster Recovery, and Incident Management Plans and test compliance with agreed Service Level Agreements (SLA) and minimum-security requirements. Supporting documentation provided include Response and recovery test plans Response and recovery test reports
• Made sure that processes and procedures are in place to assess the impact of vulnerabilities, determine the extent to which they are exposed to threats and manage the residual risk.
• Carried out vulnerability scans in accordance with the Vulnerability Management Plan. More than 90% of assets scanned
• Incidents were contained and mitigated in accordance with the member firm's Risk Management Policy.
• Developing an understanding of Deloitte methodology and tools
• Assisted management with engagement scope planning and improved drafting of IT audit budgets by 20%.
• Documentation of risk assessments and identification of key risks for various IT environments. (Banking, manufacturing, Consumer products, Telecommunications)
• Reviewed policies and procedures relating to client’s information security standards and applying them to controls testing criteria
• Performed design and operating effectiveness of General IT controls on relevant IT systems
• Performed design and operating effectiveness of General IT controls on supporting environments of relevant IT systems (Windows, Linux, Unix AIX)
• Performed testing for SOD controls on different financial systems within the banking sector
• Performed tests on computer generated information (IPE/IUC) for accuracy and completeness
• System interface testing
• Took responsibility for all engagement work and ensured that time charged on the engagement is in line with budgeted time
• Documented audit findings and impact and report to the client
• Application and automated control testing
• Interviewed clients on findings to ensure there are alternate controls or plans to address risks identified
• Audit IT organizations, IT processes, and IT systems against policies, regulations, standards, and good practices such as COBIT and ITIL for a variety of clients
• Prepared documentation (work papers, planning memorandums, and audit programs)
• Assisted with client management throughout the audit lifecycle