LEAD AUDITOR - INDEPENDENT TECHNICAL TESTING
MISSION AND OBJECTIVES
The Information and Communications Technology (ICT) Risk department is part of the Group RISK ORC Functions within BNP Paribas. It is a part of the 2nd Line Of Defence (2LOD) under the Bank’s Chief Cyber & Technology Risk Officer. Among others, the department has responsibility for identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions.
This is achieved by delivering:
- Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks. Tracking issues and agreed actions to completion.
- Horizontal Risk Assessments: Assessing technology risks in relation to a particular theme or technology across the organization. Examples could be assessments of the firewall change process, applications processing >$5m per day, applications hosted in the cloud, etc.
- Vertical Risk Assessments: Assessing risks to a product, service, technology or infrastructure. For instance we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc.) or our Internet connectivity.
- Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions.
- Recurrent analysis of maturity of controls on all entities of the Group.
Independent Technical Testing (ITT) is one of the activities of the Information and Communications Technology Risk department. You will join this team and participate to internal assessments to identify Information and Communications technologies risks, including these linked to Cyber Security with a BNP Paribas Worldwide scope.
The Assessor shall be an all-round specialist in Information and Communication Technologies, which include IT Processes, Governance, Architecture, Network, Systems, Application, Cyber Security and Continuity related subjects. The assessor shall be competent to improve team skills on some ICT subjects and ensure the quality, relevance and traceability of all identified gap.
As an assessor, you will interact directly with customers at all levels of managements, and be able to synthetize, popularise technical findings and identify risk. Your excellent interpersonal and verbal/written communication skills will help to ensure the good roll out of assessments.
As part of the team, you will also have the chance to help to improve the assessment methodology and to develop the team tooling to improve the relevance of the findings.
- Provide independent advice and timely assurance to management on the adequacy and effectiveness of policies, process, systems and controls.
- Contribute to the development and implementation of a comprehensive assessment methodology and the tooling associated to deliver consistent reports.
- Schedule and plan assessments with customers, assessors and team members.
- Interact with customers of all level of management.
- Document and report results of investigation by ensuring the quality, relevance and traceability of the weaknesses identified.
- Ensure the on time delivery of complete and accurate reports.
- Leading and overseeing the life cycle of an assessment.
TRAINING AND OCCUPATIONAL EXPERIENCE
• Master Degree or equivalent in ICT domains.
• 3+ as IT assessor.
• Industry-recognized information security certifications such as CISSP, CISA, GCCC, CISM, CRISC, CEH, OSCP or Security+.
• Mastery of delivering formal deliverables such as PowerPoint presentation, reports or procedures.
• Demonstrated ability to communicate effectively and to present in a structured approach.
• Mastery of MS Office skills.
• Good knowledge of ICT subjects.
• Demonstrated ability to communicate effectively with stakeholders and technical staff.
• Excellent written and verbal communication.
SKILLS AND BEHAVIOURS
• Role model, promotion of a culture of good conduct and contribution to maintaining such a culture
• Proactivity, transparency and clear accountability for the determination and management of behavior risks
• Consistently develop ana leverage the teamwork between peers, management and stakeholders
• Eye for details, ability to process high quantity of documents and correlate them
• Be able to work under pressure in international environment
• Highly organized, with a proven ability to manage a wide number of subjects at any given time.
• Be an enthusiastic and committed team player
• Understanding of the Agile audit approach
• Prepared to travel internationally
ESSENTIAL SPECIFIC REQUIREMENTS
Mastery of concepts related to network infrastructures, information system security including emerging threats and attacks methodologies, for example:
• Network security, network equipment configuration, network protocols, network standards, supervision, "Conceptual Skills," "Decision Making," "Informing Others," functional and technical expertise, reliability, information security policy.
• Recognized skills for the integration of different security or data protection technologies within a coherent architecture to effectively cover the risks of the company.
• Mastery of technical testing tools and script development
• Experience of pen-testing (network, application, system...) will be a plus
• Good technical understanding of security technologies, including intrusion detection/prevention, correlation of events, firewall, antivirus, anti-spam, policy tightening, patch management and configuration management, audit, security development technique, etc.
• Knowledge of cryptographic standards for encryption, electronic signature, key management infrastructure (PKI).
• Good understanding of native platforms or common applications such as (non-exhaustive list): UNIX, Linux, Windows, Android, IOS, Oracle, MS SQL, Microsoft Outlook, J2EE and.NET applications, etc.
• Knowledge of IT controls