MISSION
AND OBJECTIVES
The Information and
Communications Technology (ICT) Risk department is part of the Group RISK ORC
Functions within BNP Paribas. It is a part of the 2nd Line Of Defence (2LOD)
under the Bank’s Chief Cyber & Technology Risk Officer. Among others, the
department has responsibility for identification of key technology risks to the
Bank and influencing business and technology partners to take sound risk
management decisions.
This is achieved by
delivering:
- Application
& Infrastructure Risk Assessments working with the Business and
Technology teams to identify security issues in existing and new systems,
and agree corresponding actions to mitigate or accept risks. Tracking
issues and agreed actions to completion.
- Horizontal
Risk Assessments: Assessing technology risks in relation to a particular
theme or technology across the organization. Examples could be assessments
of the firewall change process, applications processing >$5m per day,
applications hosted in the cloud, etc.
- Vertical Risk
Assessments: Assessing risks to a product, service, technology or
infrastructure. For instance we may complete a vertical assessment on our
remote working solution (including Infrastructure, applications, data,
threats etc.) or our Internet connectivity.
- Partnership to
the Business and Technology teams in helping them understand their
technology risk profile and influencing their risk management decisions.
- Recurrent
analysis of maturity of controls on all entities of the Group.
Independent Technical Testing (ITT) is one of the activities of the
Information and Communications Technology Risk department. You will join this
team and participate to internal assessments to identify Information and
Communications technologies risks, including these linked to Cyber Security
with a BNP Paribas Worldwide scope.
MAIN
RESPONSIBILITIES
The Assessor shall be an
all-round specialist in Information and Communication Technologies, which
include IT Processes, Governance, Architecture, Network, Systems, Application,
Cyber Security and Continuity related subjects. The assessor shall be competent
to improve team skills on some ICT subjects and ensure the quality, relevance
and traceability of all identified gap.
As an assessor, you will
interact directly with customers at all levels of managements, and be able to
synthetize, popularise technical findings and identify risk. Your excellent
interpersonal and verbal/written communication skills will help to ensure the
good roll out of assessments.
As part of the team, you will
also have the chance to help to improve the assessment methodology and to
develop the team tooling to improve the relevance of the findings.
- Provide
independent advice and timely assurance to management on the adequacy and
effectiveness of policies, process, systems and controls.
- Contribute to
the development and implementation of a comprehensive assessment
methodology and the tooling associated to deliver consistent reports.
- Schedule and
plan assessments with customers, assessors and team members.
- Interact with
customers of all level of management.
- Document and
report results of investigation by ensuring the quality, relevance and
traceability of the weaknesses identified.
- Ensure the on
time delivery of complete and accurate reports.
- Leading and
overseeing the life cycle of an assessment.
TRAINING
AND OCCUPATIONAL EXPERIENCE
• Master Degree or
equivalent in ICT domains.
• 3+ as IT assessor.
• Industry-recognized
information security certifications such as CISSP, CISA, GCCC, CISM, CRISC,
CEH, OSCP or Security+.
• Mastery of
delivering formal deliverables such as PowerPoint presentation, reports or
procedures.
• Demonstrated
ability to communicate effectively and to present in a structured approach.
• Mastery of MS
Office skills.
• Good knowledge of
ICT subjects.
• Demonstrated
ability to communicate effectively with stakeholders and technical staff.
• Excellent written
and verbal communication.
SKILLS
AND BEHAVIOURS
•
Role model, promotion of a culture of good conduct and
contribution to maintaining such a culture
•
Proactivity, transparency and clear accountability for
the determination and management of behavior risks
•
Consistently develop ana leverage the teamwork between
peers, management and stakeholders
•
Eye for details, ability to process high quantity of
documents and correlate them
•
Be able to work under pressure in international environment
•
Highly organized, with a proven ability to manage a
wide number of subjects at any given time.
•
Be an enthusiastic and committed team player
•
Understanding of the Agile audit approach
•
Prepared to travel internationally
ESSENTIAL
SPECIFIC REQUIREMENTS
Mastery of concepts related to
network infrastructures, information system security including emerging threats
and attacks methodologies, for example:
•
Network security, network equipment configuration,
network protocols, network standards, supervision, "Conceptual
Skills," "Decision Making," "Informing Others,"
functional and technical expertise, reliability, information security policy.
•
Recognized skills for the integration of different
security or data protection technologies within a coherent architecture to
effectively cover the risks of the company.
•
Mastery of technical testing tools and script
development
•
Experience of pen-testing (network, application,
system...) will be a plus
•
Good technical understanding of security technologies,
including intrusion detection/prevention, correlation of events, firewall,
antivirus, anti-spam, policy tightening, patch management and configuration
management, audit, security development technique, etc.
•
Knowledge of cryptographic standards for encryption,
electronic signature, key management infrastructure (PKI).
•
Good understanding of native platforms or common
applications such as (non-exhaustive list): UNIX, Linux, Windows, Android, IOS,
Oracle, MS SQL, Microsoft Outlook, J2EE and.NET applications, etc.
•
Knowledge of IT controls