Chief Information Security Officer

1. Information Security

2. Take the lead on developing, maintaining and updating the Information Security Strategic Plan (ISSP) and Information Security Program (ISP).

3. Diligently maintain the Bank's Information Security Framework and underlying policies, procedures, standards and guidelines.
4. Enforce compliance with the ISP and the corresponding policies, standards and procedures across the organization and conduct security awareness and training programs catered to different sets of stakeholders.
5. Actively ensure appropriate administrative, physical and technical safeguards are in place to protect the Bank's information assets from internal and external threats.
6. Meticulously identify, introduce and implement appropriate procedures, including checks and balances, are in place to test these safeguards on a regular basis.
7. Manage and assist in performing on-going security monitoring of information systems including assessing information security risk through qualitative risk analysis on a regular basis, conducting functional and gap analyses to determine the extent to which key business areas and infrastructure comply with statutory and regulatory requirements, evaluating and recommending new information security technologies and counter-measures against threats to information or privacy, and developing security reports and dashboards.
8. Educate, inform, and report to the Board and Senior Management relevant information security issues and concerns; report regularly to the Bank's Senior Management regarding the status of the Information Security Program.
9. Assist in the effective implementation of information security incident response plan; Act as lead person alongside IT in the security incident and vulnerability management processes from design to resolution.
10. Coordinate and work with business process owners and executives across different departments to ensure that information security requirements support business needs and security systems and processes are working as intended.
11. Assist in ensuring regulatory compliance and adherence to information security-related laws, rules and regulations.

2. Data Privacy

• Monitor the Bank's compliance with the Data Privacy Act, its IRR, issuances by the NPC and other applicable laws and policies.
• Ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of the Bank;
• Advise the Bank regarding complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications, rectification or deletion of personal data);
• Ensure proper data breach and security incident management by the Bank, including the latter's preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;
• Inform and cultivate awareness on privacy and data protection within the Bank, including all relevant laws, rules and regulations and issuances of the NPC;
• Advocate for the development, review and/or revision of policies, guidelines, projects and/or programs of the Bank relating to privacy and data protection, by adopting a privacy by design approach;
• Serve as the contact person of the Bank vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and the Bank;
• Cooperate, coordinate and seek advice of the NPC regarding matters concerning data privacy and security;

3. Business Continuity

• Ensure the data protection, confidentiality, availability and integrity of information in the event of business disruption
• Make it a priority to see that disaster recovery and emergency operating procedures are in place and tested on a regular basis
• Provide recommendations for the effective implementation of the Business Continuity Plan
• Ensure that the Business Continuity Plan is updated
• Information Security Awareness, Education and Training
• Develop and implement a program promoting risk awareness, data privacy and information security
• Direct the development of "Quick-info-Guides" or email brochures and slide presentations for onsite and online training and education sessions
• Ensure effective staff training programs are in place to increase security awareness across the Bank

4. Management Responsibilities

• Exercises administrative authority where applicable.
• Attends meetings, seminars and workshops as considered necessary and to benchmark with best practices and bridge knowledge gaps, if any.
• Support Senior Management in all aspects of operations and management.
• Prepares Strategic Plans of the department.
• Facilitate required audits and examinations
• Perform other duties and tasks that may be assigned by the Bank that will further the interest of information security and data privacy, and uphold the rights of the data subjects

5. Financial

• Prevent the bank to suffer from penalties and fines due to regulatory compliance and data breach