Job
Description – APAC
Note to Hiring Manager:
In support of BNP Paribas APAC's Diversity
Commitment, Hiring Managers are to consider at least 1 Asia Pacific national, 1
male and 1 female candidate for the position to be filled.
Job Title:
Chief Information Security Officer
Date:
August 2024
Department:
IT
Location:
Mumbai, India
Business Line / Function:
ITO CCCO
Reports to:
(Direct)
SIPL COO
Grade:
(if applicable)
(Functional)
APAC Head
-Business and Information Security
Number of Direct Reports:
N/A
Directorship / Registration:
N/A
Is Associated Person (AP)*
No
*For GM, GB, ALMT, FIC, WM, Legal and Risk
In
Asia Pacific, BNP Paribas is one of the best-positioned international
financial institutions with an uninterrupted presence since 1860. Currently
with over 18,000 employees* and a presence in 13 markets, BNP Paribas
provides corporates, institutional and private investors with product and
service solutions tailored to their specific needs. It offers a wide range of
financial services covering corporate & institutional banking, wealth
management, asset management, insurance, as well as retail banking and consumer
financing through strategic partnerships.
Worldwide,
BNP Paribas has a presence in 68 markets with more than 193,000 employees. It
has key positions in its three main activities: Domestic Markets and
International Financial Services (whose retail-banking networks and financial
services are covered by Retail Banking & Services) and Corporate &
Institutional Banking, which serves two client franchises: corporate clients
and institutional investors. Asia Pacific is a key strategic region for BNP
Paribas and it continues to develop its franchise in the region.
*excluding
partnerships
At BNP
Paribas, we passionately embrace diversity and are committed to fostering an
inclusive workplace where all employees are valued, respected and can bring
their authentic selves to work. We prohibit Discrimination and Harassment of
any kind and our policies promote equal employment opportunity for all
employees and applicants, irrespective of, but not limited to their gender,
gender identity, sex, sexual orientation, ethnicity, race, colour, national
origin, age, religion, social status, mental or physical disabilities,
veteran status etc. As a global Bank, we truly believe that inclusion and
diversity of our teams is key to our success in serving our clients and the
communities we operate in.
Position Purpose
The key objective of this role is to ensure that processes
across IT operate securely. The remit extends across all aspects of IT
security (i.e. policies and procedures, authorization and administration of
accesses, networks and firewalls, servers and workstations, operation
systems, databases and applications), wherever applicable and covers all IT
teams and usage of the IT platform by other departments. Another key
objective is to ensure that IT maintains an appropriate level of security in
compliance with company policy and requirements from regulatory & market
authorities and in accordance with recommendations from General Inspection,
Compliance, Internal Audit and External Auditors. This role also contributes
to the design, testing and roll-out of security controls such as access
management, exception management, data leakage prevention, etc. in accordance
with established regional processes
Responsibilities
Direct Responsibilities
1. IT Risk Management
-
Inform
APAC IT Security Risk Management team about any new projects or major change
within India for further risk assessment.
-
Ensure
risk assessment on the in-scope projects, third-party vendors and the deviation
of policies & best practice is properly conducted. Ensure the
recommendation issued for projects and security exceptions / risk acceptances
are properly followed up.
-
To
translate policy statements into local guidelines and procedures in order to
produce enforceable actions
-
To
enforce an efficient user account management process in order to authorize
and control users’ accesses and habitations to IT Systems
-
To
monitor and ensure immediate and accurate reporting of any SIPL IT Security
related incident (intrusion, virus, etc.) to the regional & global IT
Security and Incident Management processes.
-
To
be part of the network rules review and recertification process, by reviewing
and approving all network access requests (including firewall, proxy and SMTP
requests), and perform periodical review.
-
To
work in partnership with the Business Lines, Organization & Methods,
Information Systems, and others to draw up measures for implementing the Company's
Information Systems Security Directives. Especially to participate to all
projects in order to ensure respect of good IT Security practices
-
To
occasionally participate in regional security risk assessment activity of
business line applications
-
To
work with different stakeholders and assist India CIO to implement the IT
risk management framework
-
To
conduct necessary security controls, reviews, assessment to ensure the best
security practice is in place .
2. IT Security Control Design, Testing and Implementation
-
To
gather control requirements based on regulatory guidelines and business needs
-
To
assist in the design of local and business-specific security controls
-
To
contribute to the processing of day-to-day security events, leading or
supporting security investigations and escalation to relevant stakeholders
(Business, Compliance, Legal, HR, IT)
-
To
maintain exception management workflows and to track local exceptions and
their recertification
-
To produce
periodic KPI and KRI dashboards and distribute them to local management
3. Coordination & Cooperation
-
To
actively coordinate and cooperate with other IT and APAC Security teams to
ensure best IT Security practices, deliveries and a smooth interaction
-
To
work closely with IT Infrastructure & Production team, as well as
Business Lines IT teams for closure of non-compliant issues found within
scope of responsibilityTo assist the production & follow up of Security
Dashboard by APAC SecurityTo maintain an IT Security Awareness training
program towards all local employees
-
To assist SIPL COO/CIO for the production of required
and requested reporting to the local regulatory & market authorities
-
To
answer requests raised by Internal Audit and Risk and to promptly close
findings and recommendations
4. Team management
-
As
team head to supervise and lead the SIPL information security team:
-
Ensure the team's mandated learnings
(eLearning, classroom training) are completed before due date
-
Ensure block leave and carryover leave are managed
per policy
-
Ensure timesheets are recorded in Clarity
-
Identify development and training plan for the team
-
Create succession plan and backup plan for the team
-
When necessary, manage low performers with
development plans and keep track of the progress (if applicable)
5. Permanent Control Aspects
-
Direct
contribution to BNPP operational permanent control framework.
-
Responsible
for the implementation of operational permanent control policies and
procedures in day-to-day business activities, such as Control Plan
-
Responsible
for ensuring team members (if applicable) to comply with regulatory
requirements and internal guidelines.
-
Responsible
for reporting all incidents according to the Incident Management System
-
Responsible
for ensuring job descriptions are written, distributed and updated
-
Ensure
audit recommendations are resolved within the specific timeline.
Contributing Responsibilities
1. Cooperation
-
To improve IT quality and process generally
2. Compliance
& Control
-
Comply
with the BNPP IT Security policies
-
Comply
with the BNPP standards of Code of Conduct
-
Comply
with regulatory requirements and internal guidelines.
-
Ensuring
appropriate escalation to management and/or Permanent Control (or Compliance
as appropriate) as soon as an issue is identified
-
Minimizing
operational failure, including but not exclusively, the risk of fraud, by
helping to devise, and by implementing, sufficient regular controls
3. Committees
-
Participate and
contribute to different committees related to the job scope, including but
not limited to IT management, IT risk management (TRM), country supplier risk
management, data governance, data protection, local outsourcing management,
etc.
Technical & Behavioral Competencies
-
To be
knowledgeable of IT Security concepts.
-
To know IT
Security regional roadmap.
-
To maintain
a good knowledge of the technologies, systems, integration and workflows of
the IT Security program.
-
To know the
organization of global IT Security, as well as regional Security, who to
action depending on the matter and to maintain good relationships with IT
Security managers.
-
To know
program management methodology.
-
To know how
to define an action plan and to follow up on progress.
-
To be
organized and meticulous.
-
To know how
to communicate clear instructions and follow up while delegating
appropriately.
Negotiation skills.
Specific Qualifications (if required)
-
Securities practitioner
qualification is a must;
-
Strong local regulatory
experience on SEBI is required
-
Bachelor’s degree in
Computer Science, Information Security or equivalent experience
-
Holder of information security and risk
management (e.g. CISM, CISSP, etc.) preferred
Skills Referential
Behavioural Skills: (Please
select up to 4 skills)
Ability
to collaborate / Teamwork
Communication skills - oral &
written
Decision Making
Personal Impact / Ability to
influence
Transversal
Skills: (Please select up to 5
skills)
Ability
to understand, explain and support change
Ability
to manage a project
Ability
to develop and adapt a process
Ability
to inspire others & generate people's commitment
Ability
to manage / facilitate a meeting, seminar, committee, training…
Education
Level:
Bachelor Degree or equivalent (3 years)
Experience
Level
At
least 7 years
Other/Specific Qualifications (if
required)
