IT Security Digital Risk Manager
BNP Paribas offers you an exciting career opportunity in an international, challenging business environment characterized by high pace and diversity with focus on creating valuable relations with our customers. We offer a competitive salary & benefits package and also an excellent work environment where you’re valued as part of our team!About BNP Paribas in Asia Pacific ( www.apac.bnpparibas )
In Asia Pacific, BNP Paribas is one of the best-positioned international financial institutions with an uninterrupted presence since 1860. Currently with over 15,000 employees* and a presence in 14 markets, BNP Paribas provides corporates, institutional and private investors with product and service solutions tailored to their specific needs. It offers a wide range of financial services covering corporate & institutional banking, wealth management, asset management, insurance, as well as retail banking and consumer financing through strategic partnerships.
Worldwide, BNP Paribas has a presence in 74 countries with more than 190,000 employees. It has key positions in its three main activities: Domestic Markets and International Financial Services (whose retail-banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises: corporate clients and institutional investors. Asia Pacific is a key strategic region for BNP Paribas and it continues to develop its franchise in the region.
BNP Paribas offers you an exciting career opportunity in an international, challenging business environment characterized by high pace and diversity with focus on creating valuable relations with our customers. We offer a competitive salary & benefits package and also an excellent work environment where you're valued as part of our team!
* excluding partnerships
IT Security Digital Risk Manager to join APAC IT Security Risk Management team to deliver specialist Digital Risk Management to the business as part of the digital transformation initiatives of the bank.
IT Security Digital Risk Manager ensures that processes across IT operate securely. The remit extends across all aspects of IT security, i.e. policies, standards and procedures, authorization and administration of accesses, networks, servers and workstations, operating systems, databases and applications. Proactively monitors and assesses the IT infrastructure/applications of the company to ensure that the confidentiality, availability, integrity and traceability of IT systems are maintained. It also requires the incumbent to foster close working relationships with other business areas and Business Unit IT and IT Infrastructure Production teams
It covers all IT teams and usage of the IT platform by other departments, as far as the infrastructure and staff located in Asia Pacific are concerned. Another key objective is to ensure that IT maintain an appropriate level of security in compliance with company policy and requirements from regulatory authorities and in accordance with recommendations from General Inspection, Compliance, Internal Audit and external auditors
This role is primary responsible for risk assessment engagement in Digital projects from all APAC business units, ensuring that digital risk is properly recognized, assessed and mitigated, and digital risk management strategies, tools, framework and standards are in place. This role will coordinate across APAC IT Security functions, identifying and delivering solutions to digital risk issues and proactively identifying improvements.
The Digital Risk Manager must have a strong understanding and application of risk management/assessment in various emerging technology including but not limited to Cloud technology, Mobile Device technology, Virtualization technology, Sandbox technology, Agile development.
• Cooperation & contribution
• To actively coordinate and cooperate with other IT Infrastructure and Application Production, IT Architecture and IT Security teams (local, global and regional) to ensure best IT Security practices and deliveries and a smooth interaction.
• To work in partnership with the Business Lines, Organization & Methods, Information Systems, and others to draw up measures for implementing the Bank's Information Systems Security Directives related to Bank's Digital Transformation
• To work closely with Global IT Security & Risk Assessment team to follow-up on strategic digital transformation projects and related security issues.
• To effectively manage cross-functional internal/external team collaboration and communication to effectively and efficiently manage IT Security Digital Risk topics
• To manage the relationship with a particular business throughout Asia
• To participate in audits by internal/external auditors and regulators and articulate controls that satisfy concerns raised by auditors
• To participate & contribute during an IT Security related incident (intrusion, virus, etc.) from risk assessment perspective as and when required
• To work closely with System, Network and Application Teams for closure of non-compliance issues found.
• To contribute to IT quality and process improvement generally.
• Security Risk Management
• Key Activities include:
• IT Security Digital Risk Assessment (New Project, Major app/infra Change and Existing apps)
• Perform Application, Infrastructure & Network architecture security review with primary focus on Digitalization projects risk assessment
• Perform IT security Site Review for branch offices, Data Centre & vendors, only as and when required
• Advise and validate the IT security requirements for any projects that are deployed in this region.
• Register, follow up and track Security recommendations, findings & security exception/risk acceptance
• Provide accurate and timely Information technology Security Risk Assessment reports
• Work closely with asset owners or representatives and technical staff to communicate, drive and track the implementation/remediation of security recommendation/findings.
• Responsible for developing and implementing IT security assessment and risk management frameworks and policies with specific focus on Digital Risk Management
• IT Security Consulting
• Focal point for the assigned business unit on IT security & Risk Management related topics in APAC region with primary focus on Bank's Digital transformation initiatives
• To manage and support all IT Security & Risk Management related activities assigned business unit coverage in APAC region
• Provide IT Security recommendations to information/infrastructure/application risk issues
• Translate policy statements to enforceable actions
• Provide security consultancy to various security requests and inquiries raised from the business units to the APAC IT Security Risk Management team.
• Security Validation
• Perform Firewall Pre-Change Review for APAC. To be fully part of the network firewall rules approval process, by reviewing and approving FW requests (including firewall, proxy and SMTP requests)
• Perform Firewall Post Change review process to meet regional regulatory requirements such as MAS, HKMA, etc. To be fully involved in the process in BAU ensuring all approved existing/legacy rules are technically appropriate, request revalidated and reconciled.
• Security validate & approval (via Service Now / SailPoint), including below but not limited to
• External Media Access Request
• Data restoration (Production to Non-production)
• To work on Security requests (via Service NOW, Sail Point) and ensuring timely response to requestors
• Internal/External Audit support as and when required
• Controls & Procedures
• To participate in the regular security review of the assigned business units
• To ensure that work is conducted adhering to compliance, data protection (customer & personal data) and other regulatory requirements.
• To minimize operational risks and risks of fraud by implementing regular and sufficient controls related to his position.
• To escalate to his management and/or Operational Risks & Permanent Control any issues identified.
• To actively participate to IT Security Team Organization Framework including, but not limited to, correct time-tracking booking, timely & accurate recording of activity.
Competencies (Technical / Behavioral)
• Extended knowledge of IT infrastructure & network and application security. Must be proficiency in Cloud technology, Mobile Device technology, Virtualization technology, Sandbox technology, agile development methodology. Infrastructure & network (Internet, Intranet, Extranet, DMZ), and Application (Web, Client-Server, payment systems) security reviews
• Extended knowledge of IT Security Risk Management concepts and with good understanding of industry APAC regulations i.e. MAS TRM, HKMA, FSA, etc.
• At least 5 years of direct IT Security Risk Assessment experience with a strong background in Infrastructure & Network and application Risk Assessment, security operations, software development, and network & system administration. Prior experience in emerging digital risk assessment methodology and its application is perferred
• Good understanding of financial trading and operating environment.
• Must be able to handle stakeholders in a confident, positive and responsive manner.
• Deep knowledge in the following is a must:
- Application (payment systems), Virtualization, Cloud Computing, Virtualization, Infrastructure & Network architecture review
-Network protocols and network connectivity concepts; Firewall, DMZ and Internet technologies;
-Secure access control mechanisms; Encryption and Key Management techniques
• Technical proficiency in:
Unix / Linux; Windows 2008/2012/7 operating Systems; Mainframe; Sybase, Oracle, SQL and other relational Database Systems; Major SIEM, IPS, IDS, Endpoint, etc. Security tools
• To know how to define an action plan and to follow up on progress.
• To be organized and meticulous.
• Good communication, technical writing/diagramming skills.
• Must be motivated, and able to work independently as well as part of a team.
• Must demonstrate ethical responsibility, maturity, and discretion.
Specific Qualifications Required
• Professional credentials in relevant IT security disciplines, such as ITIL-SM, ITGI, CGEIT, CISM, CISA or CISSP, including CISSP-ISSMP, in good standing