InfoSec Compliance & Assurance Lead - Banking

Xenon7

Job Summary:

This role exists to accelerate the information security compliance posture across IT and Digital Transformation. The specialist acts as the InfoSec function's technical compliance arm tracking, evidencing, and reporting on remediation progress against CBE Cybersecurity Framework requirements, PCI DSS obligations, and internal control commitments. The role also leads and executes assurance exercises, either directly or by scoping and managing third-party security assessment engagements.

Key Responsibilities:

A. IT & Digital Transformation Compliance Follow-Up

Maintain a live compliance tracker across all active CBE Cybersecurity Framework control domains (IAM,

PAM, GRC, Container Security, and others).

Conduct regular technical walk-throughs with IT and Digital Transformation teams to validate

implementation status and close evidence gaps.

Escalate risks and blockers to the Head of GRC and CISO with clear risk-quantified language suitable for

Risk Committee reporting.

Map remediation actions to OKR key results and track delivery against agreed timelines.

Prepare compliance status reports in a format suitable for senior management and regulatory audiences.

B. PCI DSS Engagement Lead

Own the end-to-end PCI DSS engagement cycle scoping, gap assessment, remediation tracking, QSA

coordination, and Report on Compliance (RoC) or Self-Assessment Questionnaire (SAQ) readiness.

Coordinate across IT, Operations, and Digital to ensure cardholder data environment (CDE) controls are

implemented, evidenced, and maintained.

Manage the relationship with the appointed Qualified Security Assessor (QSA) and act as the internal

point of contact throughout the assessment cycle.

Drive closure of PCI DSS findings and build a compensating controls register where technical controls are

not yet feasible.

Maintain PCI DSS documentation library including network diagrams, data flow diagrams, asset inventory,

and policies relevant to the CDE.

C. InfoSec Assurance Exercises

Plan and execute assurance activities including control testing, configuration reviews, access reviews,

and policy compliance spot checks.

Scope, procure, and manage third-party security assessment vendors where specialized assessment

capability is required (e.g., penetration testing, red team exercises, cloud security reviews).

Produce clear assurance reports with risk-rated findings, business impact statements, and prioritized

remediation recommendations.

Track finding remediation to closure and validate effectiveness of corrective actions.

Coordinate with the InfoSec Control Validation Manager to align assurance outputs with

broader control validation programme.