IT Security Risk Manager
Standard / Permanent
HK-Hong Kong (HK)-Hong Kong
PROCUREMENT OR SECURITY OR FACILITIES MANAGEMENT
About BNP Paribas in Asia Pacific (www.apac.bnpparibas)
In Asia Pacific, BNP Paribas is one of the best-positioned international financial institutions with an uninterrupted presence since 1860. Currently with over 15,000 employees* and a presence in 14 markets, BNP Paribas provides corporates, institutional and private investors with product and service solutions tailored to their specific needs. It offers a wide range of financial services covering corporate & institutional banking, wealth management, asset management, insurance, as well as retail banking and consumer financing through strategic partnerships.
Worldwide, BNP Paribas has a presence in 74 countries with more than 190,000 employees. It has key positions in its three main activities: Domestic Markets and International Financial Services (whose retail-banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises: corporate clients and institutional investors. Asia Pacific is a key strategic region for BNP Paribas and it continues to develop its franchise in the region.
BNP Paribas offers you an exciting career opportunity in an international, challenging business environment characterized by high pace and diversity with focus on creating valuable relations with our customers. We offer a competitive salary & benefits package and also an excellent work environment where you're valued as part of our team!
* excluding partnerships
IT Security Risk Manager ensures that processes across IT operate securely. The remit extends across all aspects of IT security, i.e. policies, standards and procedures, authorization and administration of accesses, networks, servers and workstations, operating systems, databases and applications. Proactively monitors and assesses the IT infrastructure/applications of the company to ensure that the confidentiality, availability, integrity and traceability of IT systems are maintained. It also requires the incumbent to foster close working relationships with other business areas and Business Unit IT and IT Infrastructure Production teams
It covers all IT teams and usage of the IT platform by other departments, as far as the infrastructure and staff located in Asia Pacific are concerned. Another key objective is to ensure that IT maintain an appropriate level of security in compliance with company policy and requirements from regulatory authorities and in accordance with recommendations from General Inspection, Compliance, Internal Audit and external auditors
• Cooperation & contribution
• To actively coordinate and cooperate with other IT and IT Security teams (local, global and regional) to ensure best IT Security practices and deliveries and a smooth interaction.
• To work in partnership with the Business Lines, Organization & Methods, Information Systems, and others to draw up measures for implementing the Bank's Information Systems Security Directives.
• To work closely with Global IT Security & Risk Assessment team to follow-up on strategic projects and security issues.
• To effectively manage cross-functional internal/external team collaboration and communication to effectively and efficiently manage IT Security Risk topics
• To manage the relationship with a particular business throughout Asia
• To participate in audits by internal/external auditors and regulators and articulate controls that satisfy concerns raised by auditors
• To participate & contribute during an IT Security related incident (intrusion, virus, etc.) from risk assessment perspective as and when required
• To work closely with System, Network and Application Teams for closure of non-compliance issues found.
• To contribute to IT quality and process improvement generally.
• Security Risk Management
• Key Activities include:
• IT Security Risk Assessment (New Project, Major app/infra Change and Existing apps)
• Perform Application, Infrastructure & Network architecture security review
• Perform IT security Site Review for branch offices, Data Centre & vendors, as and when required
• Advise and validate the IT security requirements for any projects that are deployed in this region.
• Register, follow up and track Security recommendations, findings & security exception/risk acceptance
• Provide accurate and timely Information technology Security Risk Assessment reports
• Work closely with asset owners or representatives and technical staff to communicate, drive and track the implementation/remediation of security recommendation/findings.
• Responsible for developing and implementing IT security assessment and risk management frameworks and policies
• IT Security Consulting
• Focal point for the assigned business unit on IT security & Risk Management related topics in APAC region
• To manage and support all IT Security & Risk Management related activities assigned business unit coverage in APAC region
• Provide IT Security recommendations to information/infrastructure/application risk issues
• Translate policy statements to enforceable actions
• Provide security consultancy to various security requests and inquiries raised from the business units to the APAC IT Security Risk Management team.
• Security Validation
• Perform Firewall Pre-Change Review for APAC. To be fully part of the network firewall rules approval process, by reviewing and approving FW requests (including firewall, proxy and SMTP requests)
• Perform Firewall Post Change review process to meet regional regulatory requirements such as MAS, HKMA, etc. To be fully involved in the process in BAU ensuring all approved existing/legacy rules are technically appropriate, request revalidated and reconciled.
• Security validate & approval (via Service Now / SailPoint), including below but not limited to
• External Media Access Request
• MobiMax Secure Remote Access (SRA) User Profiles (SmartPass / RSA Token)
• Data restoration (Production to Non-production)
• Remote Desktop Access Request
• Generic Functional/ Service Account creation / modification on servers, workstations and databases
• URL whitelisting request
• User browser whitelisting
• SRA (remote access) whitelisting
• Data Transfer/Download To/From Removable device
• Non-standard Software installation
• To work on Security requests (via Service NOW, Sail Point) and ensuring timely response to requestors
• Internal/External Audit support as and when required
• Controls & Procedures
• To participate in the regular security review of the assigned business units
• To ensure that work is conducted adhering to compliance, data protection (customer & personal data) and other regulatory requirements.
• To minimize operational risks and risks of fraud by implementing regular and sufficient controls related to his position.
• To escalate to his management and/or Operational Risks & Permanent Control any issues identified.
• To actively participate to IT Security Team Organization Framework including, but not limited to, correct time-tracking booking, timely & accurate recording of activity.
Competencies (Technical / Behavioral)
• Extended knowledge of IT infrastructure & network and application security. Must be proficiency in Infrastructure & network (Internet, Intranet, Extranet, DMZ), and Application (Web, Client-Server, payment systems) security reviews
• Extended knowledge of IT Security Risk Management concepts and with good understanding of industry APAC regulations i.e. MAS TRM, HKMA, FSA, etc.
• At least 5 years of direct IT Security Risk Assessment experience with a strong background in Infrastructure & Network and application Risk Assessment, security operations, software development, and network & system administration.
• Good understanding of financial trading and operating environment.
• Must be able to handle stakeholders in a confident, positive and responsive manner.
• Deep knowledge in the following is a must:
- Application (payment systems), Virtualization, Infrastructure & Network architecture review
-Network protocols and network connectivity concepts; Firewall, DMZ and Internet technologies;
-Secure access control mechanisms; Encryption and Key Management techniques
• Technical proficiency in:
Unix / Linux; Windows 2008/2012/7 operating Systems; Mainframe; Sybase, Oracle, SQL and other relational Database Systems; Major SIEM, IPS, IDS, Endpoint, etc. Security tools
• To know how to define an action plan and to follow up on progress.
• To be organized and meticulous.
• Good communication, technical writing/diagramming skills.
• Must be motivated, and able to work independently as well as part of a team.
• Must demonstrate ethical responsibility, maturity, and discretion.
Specific Qualifications Required
Professional credentials in relevant IT security disciplines, such as ITIL-SM, ITGI, CGEIT, CISM, CISA or CISSP, including CISSP-ISSMP, in good standing