The BNP Paribas Fortis Governance, Risk and Compliance team supports IT and Business Units to develop adequate solutions on operational IT and Cyber risk management practices, with specific focus on Information Security.
Their main missions are:
Identify operational IT and Cyber risks on assets/applications, projects and 3rd-parties.
Advice, consult, monitor and report on risk treatment in order to reduce the overall risk exposure of IT and Business at an optimized cost.
Elaborate and manage the implementation of a flexible strategy to reduce IT and Cyber risks in accordance with the IT and Information Security policies of BNP Paribas Group.
Responsibilities
Direct Responsibilities
Instruct the 5 European Bank Authority ICT risks categories and to follow them throughout TPTRM assessments
Perform third-party technology risk assessments to help beneficiaries/contract owners identify and evaluate complex business and technology risks related to their third parties, and provide recommendations for managing those risks
Provide periodic status updates including potential risks and delays to the project delivery to beneficiary project manager, conduct workshops wherever necessary
contribution to the definition and review of contractual clauses. Work with Procurement team in adding or amending any IT related clause in the contract
Assist in the selection and tailoring of third-party technology risk management approaches, methods and tools to support delivery of third-party cyber risk assessment services
Review thoroughly Asset classifications and pre-existing asset related risks & control responses ensuring sync with TPTRM assessments responses
Identify key actors for decision making according to flagged risk families
Apply group key procedures, templates, to carry out risks activities
Demonstrate knowledge in one or more of the following cyber risk domains, including: Security Governance and Management, Security Policies and Procedures, Application Security Controls, Access Controls, Network Security Operations, Security Architectures, Identity Management, Disaster Recovery & Business Continuity, Incident Response, Risk Management, Privacy and Data Protection, Encryption.
Contributing Responsibilities
As part of its defined missions, the TPTRM Analyst/Consultant is responsible for executing - or supporting the execution of TPTRM Assessments involving - IT operational risks identification, assessment, documentation, treatment, monitoring and closing
Document TPTRM risks, assess inherent and residual risks in the activity
Analyze the root cause and the business impact
Work towards strong mitigation plan and the execution of the same
Provide support to beneficiary/contract owner to implement actions to reduce the residual risk
Report to P&P/ Project Manager about key TPTRM risks information, warning, or alert
Contribute to various exercises and reviews on controlling and assessing TPTRM risks
As a TPTRM Analyst/ Consultant review if all the mandatory prior-assessments are properly completed if not take necessary actions towards compliance
Define and document a methodology, use groups tool to manage and document assessments and outcomes
Facilitate the business / sponsor / beneficiary / SME decision-making with deep analysis based on relevant flagged risk families
Provide support to provider teams/ contract owners and coordinate/ assist to ensure proper assessments are done
Manage TPTRM inventory with follow-up tracker management
Monitor the process with specific and group standard indicators to steer the activity
As an IRM team member this includes all or part of the following activities:
Execute as Second Line of Defense: Oversight of risk management and compliance, providing support and guidelines to operational teams.
Contribute to process improvement, upkeep with new policies, regulations, standards & guidelines
Contribute to IRM IT risk awareness actions
Technical & Behavioral Competencies
Functional Skills
Experience in IT Risk and Cyber Security domains in a financial institution demonstrating a high-level of commitment and self-motivation.
Experience in the Finance & IT industry with a strong exposure to IT Operations, Application Security, and/or network administration, IPS
Strong demonstrated knowledge of Risk & Compliance, cybersecurity, cyber risk, cyber threats, Third Party Technology Risk Management/ Vendor assessments
Risk knowledge and awareness of risks combined with enthusiasm and a genuine interest in the role of Risk Assessment, Third Party Technology Risk Assessment, Risk Analysis in business and providing Risk Opinion as a subject matter expert.
Working knowledge of global regulations, frameworks and standards(ISO, NIST, COBIT, PCI-DSS, HIPAA) and conversant in the tactics, techniques and procedures used by Risk adversaries.
Demonstrates a calm professional approach, with a good understanding of delivery within time constraints and the need to escalate/inform departmental management as appropriate.
IT knowledge
Technical :
- Good understanding of organizations and IT Businesses
- Good technical understanding of infrastructures and IT Security Productions and Systems
- Experience in vulnerability management and penetration testing
-
- IT risk /Third Party risk analysis and management methods and should have worked on Risk Management Tools like RSA Archer, Metric stream, ServiceNow etc
- Knowledge of Cyber Resilience, IT continuity and business continuity
- GRC - Governance, Risk Management and Compliance Management.
- Firewall and Internet technologies; Cloud Security, Banking Tools & Technologies.
- Secure access control mechanisms; Encryption and Key management technics
Behavioral :
- Strong Communication, Analytical and problem-solving skills.
- Proven organizational skills with excellent multi-tasking, result oriented and prioritization skills
- Good documentation and reporting skills
- Ability to work independently
- Strong communication and interpersonal skills, able to communicate and relate easily with IT, Finance and back-office users
- Good communication, technical writing/diagramming skills
- Attention to detail and accuracy
- Ability for creativity and innovation
- Self-discipline
Specific Qualifications (if required) - One or more Industry-recognized information Security certifications such as CISSP, CISA, GCCC, CISM, CEH, CRISC, OSCP or Security+.
- IT Security tools like Firewalls, IPS, WAF, Endpoint protection, Network security, etc.
- IT Auditing (ISO27001/2, NIST 800 Series, ISO27005, ISO42001)
- Regulatory Compliance
- MBA in Finance/Systems/IT, Masters in Technology, Bachelor of Commerce, Masters in Commerce, Bachelor in Science, Bachelor in Technology
Skills Referential
Behavioural Skills : (Please select up to 4 skills)
Communication skills - oral & written
Attention to detail / rigor
Ability to deliver / Results driven
Creativity & Innovation / Problem solving
Transversal Skills:
Analytical Ability
Ability to manage a project
Ability to understand, explain and support change
Ability to develop and adapt a process
Ability to anticipate business / strategic evolution
Education Level:
Bachelor Degree or equivalent
Experience Level
At least 5 years
Other/Specific Qualifications
(if required)- CISA/CISSP/CISM/CRISC -
