About the Company :
BNP Paribas Group is a leading European bank
with a strong global footprint across 72 markets and more than 202,000
employees. The Group provides corporates, institutional
and private investors with product and service solutions tailored to their
specific needs. It offers a wide range of financial services covering corporate
& institutional banking, wealth management, asset management, insurance, as
well as retail banking and consumer financing through strategic partnerships
About BNP Paribas India Solutions:
Established in 2005,
BNP Paribas India Solutions is a wholly owned subsidiary of BNP Paribas Group,
a leading bank in Europe with an international reach. With delivery centers
located in Mumbai and Chennai, we are a 24x7 global delivery center. We partner
various business lines of BNP Paribas such as Corporate and Institutional
Banking, Wealth Management, Retail Banking through three verticals -
Information Technology, Operations and Finance Shared Services.
Security risk management policy
(SRM-L2-00), and aligned with the Group 2OPC approach related to risks
cartography (CG0121EN and COP0028EN).
Cross references to Risk
analysis methodology user guide (SRM-L4-01) are also provided to aid
comprehension of the risk analysis methodology proposed by GGS (which is based
on EBIOS methodology).
Risk level is the combination of
the severity of impacts (or consequences), that can be assessed through
the Impact Severity Matrix sheet, and of the likelihood for a feared
event, that can be assessed though the likelihood Matrix sheet.
For Impact study please consider
the below support information:
Impact severity level is used to
assess risk level (in combination with likelihood of threat scenarios) and
relies on the potential consequences of a feared event on an essential asset
(to be assessed by the business).
For a feared event, the severity level can be different depending on each type
of impact. Hence, the final severity level for each feared event should
correspond to the highest severity level assessed amongst all impact types;
Criticality of assets is bound to security needs, to be evaluated for
Confidentiality, Integrity, Availability, and Traceability (combines
Non-repudiation and Authenticity);
Sensitivity is used to describe the criticality of data and information. Sensitive
data hence means that this data or information is a critical asset, in
particular in terms of Confidentiality (but it may also concern other security
Although impacts with
high severity levels are more likely when essential assets are concerned,
criticality level is not directly used to calculate risk level (severity level
is used instead).
Manage BP2S Global IT Risk activities from Chennai as extended team of Paris IT
ISAE 3402 Audit for BP2S Global IT Risk and Cyber Security Team.
ACTIONS IMPLEMENTATION FOLLOW-UP
Action Plans RCP
Action Plans Incidents
MONITORING (KMP / KPI / KRI)
IT OPC COMMUNICATION, SUPPORT & GOVERNANCE
Lines of Defence: 1st,
CIO & Comex IT
ISAE 3402 – IT Risk Audit
with assurance engagements undertaken by an auditor to provide a report for use
by user entities and their auditors on the controls at a service organization
that provides a service to user entities that is likely to be relevant to user
entities' internal control as it relates to financial reporting.