POSITION DESCRIPTION

JOB TITLE: MANAGER IT GOVERNANCE & CONTROLS

REPORTS TO: CHIEF INFORMATION SECURITY OFFICER

JOB PURPOSE

• The Manager – IT Governance & Controls is responsible for leading the governance, assurance, control oversight, and regulatory compliance functions of the IT Security & Governance department.
• The role ensures the Bank maintains an effective and measurable cybersecurity governance framework aligned to business growth, digital transformation, regulatory obligations, and enterprise risk appetite.
• The role acts as the Bank’s focal point for cybersecurity governance, policy management, integrated assurance, control maturity, security architecture governance, and technology risk oversight across internal systems, digital platforms, third-party ecosystems, and strategic technology initiatives.

KEY RESPONSIBILITIES /KEY DELIVERABLES

• Develop, implement, and continuously improve the Bank’s cybersecurity governance framework, ensuring alignment with business strategy, regulatory obligations, and enterprise risk appetite.
• Own and manage the lifecycle of cybersecurity policies, standards, baselines, procedures, and control frameworks, ensuring they remain current and aligned to industry’s best practices.
• Ensure alignment and compliance with applicable regulatory and security frameworks, including ISO/IEC 27001:2022, PCI DSS v4.0, Bank of Uganda Cyber & Technology Risk Guidelines, Data Protection and Privacy laws, SWIFT CSP, NIST Cybersecurity Framework, and other relevant standards.
• Lead the planning, coordination, and management of cybersecurity audits, regulatory inspections, certifications, and assurance reviews, including internal audits, external audits, and supervisory examinations.
• Coordinate evidence collection, control validation, remediation tracking, and closure of audit findings, ensuring timely resolution and reduction of repeat findings.
• Design, maintain, and monitor the Bank’s cybersecurity control framework, ensuring effective preventive, detective, and corrective controls are implemented across technology environments.
• Conduct governance reviews and control assessments across infrastructure, applications, digital channels, identity platforms, payment systems, cloud services, and third-party integrations.
• Embed security governance and security-by-design principles into technology initiatives, digital products, procurement processes, architecture reviews, and change management processes.
• Review solution architectures, technology designs, and project implementations to ensure security requirements, control standards, and regulatory obligations are incorporated before production deployment.
• Lead the identification, assessment, treatment, monitoring, and reporting of cybersecurity and technology risks, ensuring alignment with the Bank’s enterprise risk management framework.
• Maintain and periodically review the cybersecurity risk register, key risk indicators (KRIs), control effectiveness metrics, and management action plans.
• Monitor emerging cybersecurity threats, regulatory changes, and technology risks, and recommend governance enhancements to strengthen the Bank’s resilience.
• Lead cybersecurity due diligence, risk assessments, and control reviews for third-party service providers, fintech partners, cloud providers, and strategic technology vendors.
• Ensure cybersecurity requirements are incorporated into vendor onboarding, outsourcing arrangements, contracts, and ecosystem integrations.
• Produce monthly, quarterly, and annual governance, compliance, and control reports for the CISO, Executive Management, Board Committees, regulators, and auditors.
• Present actionable insights on audit posture, regulatory compliance, control maturity, risk trends, and governance performance to senior stakeholders.
• Drive continuous improvement initiatives to enhance governance maturity, reduce compliance gaps, strengthen control effectiveness, and improve operational efficiency.
• Lead cybersecurity awareness on governance obligations, policy compliance, and control responsibilities across technology and business teams.
• Build and support governance champions across business units to strengthen enterprise-wide ownership of cybersecurity and compliance responsibilities.
• Support strategic initiatives such as digital transformation, open banking, fintech integrations, cloud adoption, data monetization, and emerging technology adoption by providing governance oversight.
• Prepare and manage the Governance & Controls unit budget, annual work plans, and strategic roadmap aligned to departmental and Bank objectives.
• Provide leadership, mentorship, and subject matter expertise in cybersecurity governance, regulatory assurance, and technology control management.
• Perform any other duties assigned by the Chief Information Security Officer in support of the Bank’s cybersecurity, governance, and resilience objectives.

BUSINESS BEHAVIOURS

§ Passion: Committed to excellence, delivering outstanding results and making a positive impact on our customers and stakeholders.

§ Teamwork: Collaborates, mutual respect, and diverse perspectives, to achieve shared success and deliver greater value to the Bank.

§ Integrity: Uphold honesty, transparency, and accountability, ensuring ethical practices in every action.

§ Innovation: Embrace creativity and forward-thinking, continually seek new solutions to enhance customer experience and drive business growth.

QUALIFICATIONS, EXPERIENCE AND COMPETENCIES REQUIRED

• Bachelor’s degree in information technology, Computer Science, Cybersecurity, Information Systems, Business Information Technology, or a related discipline.
• Postgraduate qualification in cybersecurity, information security, technology risk, governance, or business administration will be an added advantage.
• Professional certifications in cybersecurity, governance, audit, or risk management will be an added advantage, including ISO/IEC 27001 Lead Implementer or Lead Auditor, ISACA CISM, CRISC, CISA, ISC2 CISSP, PCI DSS, Data Protection, Cloud Security, or related certifications
• Candidates who are actively pursuing relevant professional certifications and demonstrate commitment to continuous professional development will be strongly considered.
• Minimum 3 years of experience in information security, IT governance, technology risk, audit, compliance, infrastructure, application security, or related technology functions.
• Experience working within banking, financial services, fintech, telecommunications, or other regulated environments will be an added advantage.
• Exposure to information security frameworks, regulatory compliance, technology risk management, internal controls, audit processes, or policy management.
• Foundational understanding of governance and control frameworks such as:
  • ISO 27001, PCI DSS, NIST CSF, COBIT, SWIFT CSP, Data Protection and Privacy requirements.
• Exposure to technology environments such as: Enterprise infrastructure, Cloud platforms, Digital channels, Identity and access management, Vendor or third-party technology integrations
• Experience participating in audits, remediation programs, risk assessments, policy reviews, project governance, or technology control reviews.
• Ability to analyse risks, challenge constructively, and translate technical issues into business-focused recommendations

• Develop, implement, and continuously improve the Bank’s cybersecurity governance framework, ensuring alignment with business strategy, regulatory obligations, and enterprise risk appetite.
• Own and manage the lifecycle of cybersecurity policies, standards, baselines, procedures, and control frameworks, ensuring they remain current and aligned to industry’s best practices.
• Ensure alignment and compliance with applicable regulatory and security frameworks, including ISO/IEC 27001:2022, PCI DSS v4.0, Bank of Uganda Cyber & Technology Risk Guidelines, Data Protection and Privacy laws, SWIFT CSP, NIST Cybersecurity Framework, and other relevant standards.
• Lead the planning, coordination, and management of cybersecurity audits, regulatory inspections, certifications, and assurance reviews, including internal audits, external audits, and supervisory examinations.
• Coordinate evidence collection, control validation, remediation tracking, and closure of audit findings, ensuring timely resolution and reduction of repeat findings.
• Design, maintain, and monitor the Bank’s cybersecurity control framework, ensuring effective preventive, detective, and corrective controls are implemented across technology environments.
• Conduct governance reviews and control assessments across infrastructure, applications, digital channels, identity platforms, payment systems, cloud services, and third-party integrations.
• Embed security governance and security-by-design principles into technology initiatives, digital products, procurement processes, architecture reviews, and change management processes.
• Review solution architectures, technology designs, and project implementations to ensure security requirements, control standards, and regulatory obligations are incorporated before production deployment.
• Lead the identification, assessment, treatment, monitoring, and reporting of cybersecurity and technology risks, ensuring alignment with the Bank’s enterprise risk management framework.
• Maintain and periodically review the cybersecurity risk register, key risk indicators (KRIs), control effectiveness metrics, and management action plans.
• Monitor emerging cybersecurity threats, regulatory changes, and technology risks, and recommend governance enhancements to strengthen the Bank’s resilience.
• Lead cybersecurity due diligence, risk assessments, and control reviews for third-party service providers, fintech partners, cloud providers, and strategic technology vendors.
• Ensure cybersecurity requirements are incorporated into vendor onboarding, outsourcing arrangements, contracts, and ecosystem integrations.
• Produce monthly, quarterly, and annual governance, compliance, and control reports for the CISO, Executive Management, Board Committees, regulators, and auditors.
• Present actionable insights on audit posture, regulatory compliance, control maturity, risk trends, and governance performance to senior stakeholders.
• Drive continuous improvement initiatives to enhance governance maturity, reduce compliance gaps, strengthen control effectiveness, and improve operational efficiency.
• Lead cybersecurity awareness on governance obligations, policy compliance, and control responsibilities across technology and business teams.
• Build and support governance champions across business units to strengthen enterprise-wide ownership of cybersecurity and compliance responsibilities.
• Support strategic initiatives such as digital transformation, open banking, fintech integrations, cloud adoption, data monetization, and emerging technology adoption by providing governance oversight.
• Prepare and manage the Governance & Controls unit budget, annual work plans, and strategic roadmap aligned to departmental and Bank objectives.
• Provide leadership, mentorship, and subject matter expertise in cybersecurity governance, regulatory assurance, and technology control management.
• Perform any other duties assigned by the Chief Information Security Officer in support of the Bank’s cybersecurity, governance, and resilience objectives.

• Ability to analyse risks, challenge constructively, and translate technical issues into business-focused recommendations

• Bachelor’s degree in information technology, Computer Science, Cybersecurity, Information Systems, Business Information Technology, or a related discipline.
• Postgraduate qualification in cybersecurity, information security, technology risk, governance, or business administration will be an added advantage.
• Professional certifications in cybersecurity, governance, audit, or risk management will be an added advantage, including ISO/IEC 27001 Lead Implementer or Lead Auditor, ISACA CISM, CRISC, CISA, ISC2 CISSP, PCI DSS, Data Protection, Cloud Security, or related certifications
• Candidates who are actively pursuing relevant professional certifications and demonstrate commitment to continuous professional development will be strongly considered.
• Foundational understanding of governance and control frameworks such as: ISO 27001, PCI DSS, NIST CSF, COBIT, SWIFT CSP, Data Protection and Privacy requirements.
• Exposure to technology environments such as: Enterprise infrastructure, Cloud platforms, Digital channels, Identity and access management, Vendor or third-party technology integrations