The Information and Communications Technology Risk department is part of the Group Risk Functions within BNP Paribas. It is a part of the 2nd line of defence under the Bank’s Chief Cyber & Technology Risk Officer. Among others, the department has responsibility for identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions. This is achieved by delivering:
Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks. Tracking issues and agreed actions to completion.
Horizontal Risk Assessments: Assessing technology risks in relation to a particular theme or technology across the organisation. Examples could be assessments of the firewall change process, applications processing >$5m per day, applications hosted in the cloud, etc.
Vertical Risk Assessments: Assessing risks to a product, service, technology or infrastructure. For instance we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc.) or our Internet connectivity.
Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions.
Recurrent analysis of maturity of controls on all entities of the Group.
Independent Technical Testing (ITT) in one of the activities of the Information and Communications Technology (ICT) Risk department. BNPP is looking for the Head of ISPL ITT team, which will help with his team to identify and reduce risks on the information system (alignment of strategy with business needs, software development life cycle, IT project management, IT architecture, IT security…) and thus improve the Bank business as usual. The Group is engaged in an important transformation process, including outsourcing functions or applications redesigning.
• Steer and lead the technical testing activities such as deep assessments, control inspection and Red Team, carried out by a team currently composed of 4 generalist and technical auditors ;
• Develop methodologies and tools for the achievements of assignments (including the development of the internal technical laboratory)
• Ensure the steering of the 2nd line of defence activities
• Verify the quality, relevance and traceability of the team’s assessments and the preparation of assessment reports ;
• Provide IT and Cyber Risk Management advice to business and production teams.
Skills and Experience:
• Master Degree or equivalent in ICT domains
• 7+ in security and technology assessments
• Strong capacity of problem solving, presentation skills, and consulting
• Demonstrated ability to communicate effectively with stakeholders and technical staff
• Strong experience in project management
• Excellent written and verbal communication
• Recognized experience in cyber security (Pen Test, IAM, data protection, resiliency)
• Customer oriented vision, best technical solution not always aligned to business constraints
• Excellent understanding of Cyber environment fundamental’s, cyber risks and cyber threats
• Excellent understanding of risk management protocols and the concept of “3 defence lines.”
• Appropriateness of the initiative to maintain and enhance its skill level.
• Experience in the financial sector.
Mastery of concepts related to network infrastructures, information system security including emerging threats and attacks methodologies, in particular:
• Network security, network equipment configuration, network protocols, network standards, supervision, “Conceptual Skills,” “Decision Making,” “Informing Others,” functional and technical expertise, reliability, information security policy.
• Recognized skills for the integration of different security or data protection technologies within a coherent architecture to effectively cover the risks of the company.
• Mastery of technical testing tools.
• Experience of pen-testing (network, application, system…).
• Good technical understanding of security technologies, including intrusion detection/prevention, correlation of events, firewall, antivirus, anti-spam, policy tightening, patch management and configuration management, audit, security development technique, etc.
• In-depth understanding of authentication and identification standards such as OAuth, OpenID and SAML.
• Knowledge of cryptographic standards for encryption, electronic signature, key management infrastructure (PKI).
• In-depth understanding of native platforms or common applications such as (non-exhaustive list): UNIX, Linux, Windows, Android, IOS, Oracle, MS SQL, Microsoft Outlook, J2EE and.NET applications…
• Knowledge of security issues and associated controls related to hosting or cloud computing services. Knowledge of Amazon’s AWS service is privileged.
• Knowledge of the control frameworks and Compliance prerogatives.
• Practical experience and knowledge of applications integrated with “services”-oriented enterprise architectures, supporting multi-channel approach and Web-based interfaces, Mobile, Tablet; etc.
• Industry-recognized information security certifications such as CISSP, CISM, CRISK, CEH or Security+.
• Mastery of delivering formal deliverables such as PowerPoint presentation, reports or procedures
• Demonstrated ability to communicate effectively and to present in a structured approach
• Mastery of MS Office skills
• Good knowledge of following products will be a plus :
o Archer Technologies SmartSuite Framework ;
o Tufin Operations Management.
Conduct / Interpersonal Skills:
• Be a role model, supporting and fostering a culture of good conduct
• Demonstrate proactivity, transparency and accountability for identifying and managing conduct risks
• Consider the implications of your actions on colleagues, partners and clients before making decisions, and escalate issues to your manager when unsure.