Information Security Officer

The position purpose is Security support and internal controls.

In accordance with the framework defined by the IT Governance of BNP Paribas and the IT Risk Management Group framework (ITRMG), the mission of the Vietnam Information Security Officer is to ensure, for the IT activities within his/her entity, the realization of operational permanent control, including the measure and the management of all operational risks linked to Information and Communication Technologies (ICT).

1. IT Security: 
   • Ensure compliancy to BNPP security policies and standard ; 
   • Interfacing with regional security team to align with regional security practice ; 
   • Act as watchtower for new regulations/law or their evolutions in the territory affecting IT Security requirements. 
   • Timely engage regional security team to review new project and applications, escalate/discuss new local regulations ; 
   • Fulfil the responsibilities as documented in regional security process such as security patch management, vulnerability scanning report follow up ; 
   • Promote the security awareness of general users in the local branch ; 
   • Maintaining and make sure all BNPP machines are in line with BNPP standards on hotfix deployment, antivirus update, upgrade PC, Server maintenance, Reports, etc.. ; 
   • Standalone PCs maintenance: Controls on standalone workstations connected to external networks, maintenance Standalone workstation checklist/weekly maintenance, Clean-up, Update Antivirus, etc
   • Coordinate Shadow Light IT applications review with SLIT owners, and their related inherent/residual risks as per regional requirements ; 
   • Coordinate Risk Cards review with process/application owners as per regional requirements ; 
   • Contribute on IT Production security oversights:

1. Review Production and DR locations on a regular basis and make sure they are successfully tested at least twice a year with different scenario
2. Control IT production KRIs and KPIs related to Security ( eg. patching, antivirus update )
3. Conduct standard/customized BNP Paribas security training for new joiners (induction trainer) and yearly local Security Master Class

Besides and importantly, as per BNP Paribas internal control charter, operating IT entities, and first and foremost their managers, are accountable for the risks they are exposed to given the businesses or services they run or deliver.

In this respect, and in full compliance with regulations applicable at group level and at entity level, and in line with group’s norms and requirements, the IT risk manager should for the IT entities under his/her oversight:

• Assist in identifying and assessing operational IT risks the entities are exposed to ; 
• Ensure the risk monitoring and mitigation framework is within the defined risk appetite ; 
• Ensure the implementation and continuous adaptation of the risk framework ;  
• Ensure proper awareness of the risk framework for all IT teams ; 
• Provide consistent risk monitoring & registration tools
• Provide risk management information and reporting to eligible bodies.

2. IT incidents
   • Report, follow-up and act as local focal point for Security Incident ;
   • Able to review the IT incident, understand the root cause, and recommend controls, process modifications, in order to prevent similar incidents occurs in future ;
   • Follow-up on the completion of all remediation action plans defined to solve the IT / IT security issues identified following an incident ; 

3. IT Risks
   • Support the reporting and management of ICT Risks to eligible bodies, with if needed the risk acceptances/cards. This is done notably as part of the RCSA exercise coordinated with Regional IT OPC. 
   • Prepare the quarterly Territory Technology Risk Committee, including logistic support, escalate relevant points additionally to standard agenda, write the minutes, follow-up with identified actions ;  
   • Prepare ICT contributions for various Internal Control and Permanent control committees in Vietnam (e.g. TICC) or at APAC level.

4. IT controls
   • In charge of the deployment and reporting of IT controls (at minimum the major ones : OPC and operational standard ; and specific to requirements of local regulation and local policies when needed) identified to mitigate the risks ;  
   • Execute the above-mentioned controls and escalate the failures to the stakeholders adequately to define the remediation and track it efficiently. 
   • In charge of the preparation of the ICT Permanent control report based on provided templates, where required
   • Participate to the continuous improvement of the library of controls and their deployment, in coordination with regional Security Risks and IT OPC teams

5. IT Recommendations
   • The overall follow-up and reporting (figures, alerts, etc.) of the implementation in the territory 
     • of IT recommendations from IG, regulator, external auditor ;  
     • IT Permanent Control Actions (PCA, from RISK for instance) ;
     • and IT Self-Identified Action Plans ;
     • Follow-up also on the recommendations where IT VN is a contributor. 

6. Third Party Management:
   • Cooperate with vendors for system enhancement or technical support services for IP Tel system, Data and Voice system ; 
   • Follow up closely with vendor in line with BNPP Third Party Security Review Program and Remediation Plan ; 
   • Follow strictly guidance of Global procedure “IT risk & cyber management procedure for outsourced activities” to define the control actions, the KPIs monitoring and the regular reviews of the performances of the IT outsourced services.

• SPOC for PDP in Vietnam, supporting the implementation and maintenance of personal data protection governance and measures locally, in line with local and group regulation. This is done in close collaboration with Vietnam COO (who is also Vietnam DPO), APAC CDO, APAC DPO. It includes 
  • The maintenance of ROPA/PAQ and subsequent questionnaires, 
  • The coordination of the identification of new products/processes/change of organization falling under DPD governance, and the follow-up of related PDP assessments. 
  • The monitoring (watch-tower) of local PDP regulation evolutions, their analysis and the alert of APAC CDO/DPO and VN COO. 

Contributing Responsibilities

• APAC Cyber Security Incident Response Team
• APAC Threat Intelligence (share any threat indicator collected locally)
• IT Projects
• Contribution / support to the People security and Premises security tasks . The role is primary governed by 2 group policies:
  • IMS-L2-01 - International Mobility Security Policy and Requirements
  • PPS-L2-01 - Site and Physical Asset Security Requirements. In APAC this policy is further supplemented by an APAC version on people and premises security.

Contribution to Business Continuity Management tasks, under the lead of VN head of Operational Permanent Control