The Manager – IT Governance & Controls is responsible for leading the governance, assurance, control oversight, and regulatory compliance functions of the IT Security & Governance department. The role ensures the Bank maintains an effective and measurable cybersecurity governance framework aligned to business growth, digital transformation, regulatory obligations, and enterprise risk appetite. The role acts as the Bank’s focal point for cybersecurity governance, policy management, integrated assurance, control maturity, security architecture governance, and technology risk oversight across internal systems, digital platforms, third-party ecosystems, and strategic technology initiatives.

KEY RESPONSIBILITIES /KEY DELIVERABLES

• Develop, implement, and continuously improve the Bank’s cybersecurity governance framework, ensuring alignment with business strategy, regulatory obligations, and enterprise risk appetite.
• Own and manage the lifecycle of cybersecurity policies, standards, baselines, procedures, and control frameworks, ensuring they remain current and aligned to industry’s best practices.
• Ensure alignment and compliance with applicable regulatory and security frameworks, including ISO/IEC 27001:2022, PCI DSS v4.0, Bank of Uganda Cyber & Technology Risk Guidelines, Data Protection and Privacy laws, SWIFT CSP, NIST Cybersecurity Framework, and other relevant standards.
• Lead the planning, coordination, and management of cybersecurity audits, regulatory inspections, certifications, and assurance reviews, including internal audits, external audits, and supervisory examinations.
• Coordinate evidence collection, control validation, remediation tracking, and closure of audit findings, ensuring timely resolution and reduction of repeat f indings.
• Design, maintain, and monitor the Bank’s cybersecurity control framework, ensuring effective preventive, detective, and corrective controls are implemented across technology environments.
• Conduct governance reviews and control assessments across infrastructure, applications, digital channels, identity platforms, payment systems, cloud services, and third-party integrations.
• Embed security governance and security-by-design principles into technology initiatives, digital products, procurement processes, architecture reviews, and change management processes.
• Review solution architectures, technology designs, and project implementations to ensure security requirements, control standards, and regulatory obligations are incorporated before production deployment.
• Lead the identification, assessment, treatment, monitoring, and reporting of cybersecurity and technology risks, ensuring alignment with the Bank’s enterprise risk management framework.
• Maintain and periodically review the cybersecurity risk register, key risk indicators (KRIs), control effectiveness metrics, and management action plans.
• Monitor emerging cybersecurity threats, regulatory changes, and technology risks, and recommend governance enhancements to strengthen the Bank’s resilience.
• Lead cybersecurity due diligence, risk assessments, and control reviews for thirdparty service providers, fintech partners, cloud providers, and strategic technology vendors.
• Ensure cybersecurity requirements are incorporated into vendor onboarding, outsourcing arrangements, contracts, and ecosystem integrations.
• Produce monthly, quarterly, and annual governance, compliance, and control reports for the CISO, Executive Management, Board Committees, regulators, and auditors.
• Present actionable insights on audit posture, regulatory compliance, control maturity, risk trends, and governance performance to senior stakeholders.
• Drive continuous improvement initiatives to enhance governance maturity, reduce compliance gaps, strengthen control effectiveness, and improve operational efficiency.
• Lead cybersecurity awareness on governance obligations, policy compliance, and control responsibilities across technology and business teams.
• Build and support governance champions across business units to strengthen enterprise-wide ownership of cybersecurity and compliance responsibilities.
• Support strategic initiatives such as digital transformation, open banking, fintech integrations, cloud adoption, data monetization, and emerging technology adoption by providing governance oversight.
• Prepare and manage the Governance & Controls unit budget, annual work plans, and strategic roadmap aligned to departmental and Bank objectives.
• Provide leadership, mentorship, and subject matter expertise in cybersecurity governance, regulatory assurance, and technology control management.
• Perform any other duties assigned by the Chief Information Security Officer in support of the Bank’s cybersecurity, governance, and resilience objectives.

BUSINESS BEHAVIOURS

• Passion: Committed to excellence, delivering outstanding results and making a positive impact on our customers and stakeholders.
• Teamwork: Collaborates, mutual respect, and diverse perspectives, to achieve shared success and deliver greater value to the Bank.
• Integrity: Uphold honesty, transparency, and accountability, ensuring ethical practices in every action.
• Innovation: Embrace creativity and forward-thinking, continually seek new solutions to enhance customer experience and drive business growth.

QUALIFICATIONS, EXPERIENCE AND COMPETENCIES REQUIRED

• Bachelor’s degree in information technology, Computer Science, Cybersecurity, Information Systems, Business Information Technology, or a related discipline.
• Postgraduate qualification in cybersecurity, information security, technology risk, governance, or business administration will be an added advantage.
• Professional certifications in cybersecurity, governance, audit, or risk management will be an added advantage, including: ISO/IEC 27001 Lead Implementer or Lead Auditor, ISACA CISM, CRISC, CISA, ISC2 CISSP, PCI DSS, Data Protection, Cloud Security, or related certifications
• Candidates who are actively pursuing relevant professional certifications and demonstrate commitment to continuous professional development will be strongly considered.
• Minimum 3 years of experience in information security, IT governance, technology risk, audit, compliance, infrastructure, application security, or related technology functions.
• Experience working within banking, financial services, fintech, telecommunications, or other regulated environments will be an added advantage.
• Exposure to information security frameworks, regulatory compliance, technology risk management, internal controls, audit processes, or policy management.
• Foundational understanding of governance and control frameworks such as: ISO 27001, PCI DSS, NIST CSF, COBIT, SWIFT CSP, Data Protection and Privacy requirements.
• Exposure to technology environments such as: Enterprise infrastructure, Cloud platforms, Digital channels, Identity and access management, Vendor or thirdparty technology integrations
• Experience participating in audits, remediation programs, risk assessments, policy reviews, project governance, or technology control reviews.
• Ability to analyse risks, challenge constructively, and translate technical issues into business-focused recommendations

• Develop, implement, and continuously improve the Bank’s cybersecurity governance framework, ensuring alignment with business strategy, regulatory obligations, and enterprise risk appetite.
• Own and manage the lifecycle of cybersecurity policies, standards, baselines, procedures, and control frameworks, ensuring they remain current and aligned to industry’s best practices.
• Ensure alignment and compliance with applicable regulatory and security frameworks, including ISO/IEC 27001:2022, PCI DSS v4.0, Bank of Uganda Cyber & Technology Risk Guidelines, Data Protection and Privacy laws, SWIFT CSP, NIST Cybersecurity Framework, and other relevant standards.
• Lead the planning, coordination, and management of cybersecurity audits, regulatory inspections, certifications, and assurance reviews, including internal audits, external audits, and supervisory examinations.
• Coordinate evidence collection, control validation, remediation tracking, and closure of audit findings, ensuring timely resolution and reduction of repeat f indings.
• Design, maintain, and monitor the Bank’s cybersecurity control framework, ensuring effective preventive, detective, and corrective controls are implemented across technology environments.
• Conduct governance reviews and control assessments across infrastructure, applications, digital channels, identity platforms, payment systems, cloud services, and third-party integrations.
• Embed security governance and security-by-design principles into technology initiatives, digital products, procurement processes, architecture reviews, and change management processes.
• Review solution architectures, technology designs, and project implementations to ensure security requirements, control standards, and regulatory obligations are incorporated before production deployment.
• Lead the identification, assessment, treatment, monitoring, and reporting of cybersecurity and technology risks, ensuring alignment with the Bank’s enterprise risk management framework.
• Maintain and periodically review the cybersecurity risk register, key risk indicators (KRIs), control effectiveness metrics, and management action plans.
• Monitor emerging cybersecurity threats, regulatory changes, and technology risks, and recommend governance enhancements to strengthen the Bank’s resilience.
• Lead cybersecurity due diligence, risk assessments, and control reviews for thirdparty service providers, fintech partners, cloud providers, and strategic technology vendors.
• Ensure cybersecurity requirements are incorporated into vendor onboarding, outsourcing arrangements, contracts, and ecosystem integrations.
• Produce monthly, quarterly, and annual governance, compliance, and control reports for the CISO, Executive Management, Board Committees, regulators, and auditors.
• Present actionable insights on audit posture, regulatory compliance, control maturity, risk trends, and governance performance to senior stakeholders.
• Drive continuous improvement initiatives to enhance governance maturity, reduce compliance gaps, strengthen control effectiveness, and improve operational efficiency.
• Lead cybersecurity awareness on governance obligations, policy compliance, and control responsibilities across technology and business teams.
• Build and support governance champions across business units to strengthen enterprise-wide ownership of cybersecurity and compliance responsibilities.
• Support strategic initiatives such as digital transformation, open banking, fintech integrations, cloud adoption, data monetization, and emerging technology adoption by providing governance oversight.
• Prepare and manage the Governance & Controls unit budget, annual work plans, and strategic roadmap aligned to departmental and Bank objectives.
• Provide leadership, mentorship, and subject matter expertise in cybersecurity governance, regulatory assurance, and technology control management.
• Perform any other duties assigned by the Chief Information Security Officer in support of the Bank’s cybersecurity, governance, and resilience objectives.

• Ability to analyse risks, challenge constructively, and translate technical issues into business-focused recommendations

• Bachelor’s degree in information technology, Computer Science, Cybersecurity, Information Systems, Business Information Technology, or a related discipline.
• Postgraduate qualification in cybersecurity, information security, technology risk, governance, or business administration will be an added advantage.
• Professional certifications in cybersecurity, governance, audit, or risk management will be an added advantage, including: ISO/IEC 27001 Lead Implementer or Lead Auditor, ISACA CISM, CRISC, CISA, ISC2 CISSP, PCI DSS, Data Protection, Cloud Security, or related certifications
• Candidates who are actively pursuing relevant professional certifications and demonstrate commitment to continuous professional development will be strongly considered.
• Exposure to information security frameworks, regulatory compliance, technology risk management, internal controls, audit processes, or policy management.
• Foundational understanding of governance and control frameworks such as: ISO 27001, PCI DSS, NIST CSF, COBIT, SWIFT CSP, Data Protection and Privacy requirements.
• Exposure to technology environments such as: Enterprise infrastructure, Cloud platforms, Digital channels, Identity and access management, Vendor or thirdparty technology integrations
• Experience participating in audits, remediation programs, risk assessments, policy reviews, project governance, or technology control reviews.