IT Operational Permanent Controls Professional

Position Purpose

• This position is part of the IT-Risk & Cyber Security team, which is serving all entities of the BNPP Group in Germany and Austria.
• The mission of the IT-OPC Professional, in accordance with the defined policy defined, is to assure that there are no gaps left uncovered in terms of IT-Risk assessment, corresponding permanent controls, and that operational governance is in place in all IT teams. The role covers from an IT-OPC perspective, all activities which are in the scope of the served entities (local, central and outsourced activities).
• Risk assessments, 1st level controls and testing of the effectiveness of IT and Information Security solutions are a major part of the daily task list.
• Further, tasks include outsourcing monitoring / Third Party Risk Management and assessment, monitoring and reporting of Shadow IT situations.
• Support IT teams to implement compliance with BNP Paribas requirements and follow and control corresponding tasks and monitor regulatory changes.
• Operational incident management: Monitoring and assessing IT incidents for real or potential losses.
• Support of access rights controls reconciliation and recertification of access rights in close cooperation with corresponding IT admin teams.
• Close cooperation is necessary with the operational IT teams, the local OPC team and the central IT-OPC organization.

Responsibilities

Direct Responsibilities

• To ensure consistency of approach, methodology, reporting, business alignment in regard to risk assessments and management, control frameworks, control design and effectiveness, testing, evidence, reporting.

• Provides control and risk expertise for the business unit/functions in his (her) area.

• Working with technology stakeholders (including operational production and development teams) to identify IT-Risks impacting the firm and formulating appropriate remediation strategies based on full understanding of business exposure and compensating controls.

• Contributes to the definition and development of procedures, in line with head office policies.

• Providing independent expert advice to the IT areas on operational risk issues.

• Executing IT-Risk assessment reviews, identifying controls gaps and working in collaboration with subject matter experts to define appropriate mitigation plans.

• Performs 1st level analysis of IT and IT-Security controls and assesses the related impacts; supports 2nd controls and provides reports to the second line of defence.

• Reviews regularly the registry of operational IT-Risks and corresponding controls plans and prepares management status reports.

• Checks the robustness and efficiency of the IT and IT Security controls according to the requirements defined by the IT-Risk Manager of his (her) area.

• Monitoring and oversight of existing IT-Risks, working collaboratively with stakeholders in ensuring plans are managed within timescales and escalating where appropriate.

• Contributes to the monitoring and management of IT-related nonconformities.

• Assure compliance of the IT and Information Security framework with BNPP group policies and procedures.

• Engaging with firm wide risk and control groups, including internal audit and territory control teams.

• Assisting with risk treatment statements and co-ordinating sign-off from business and IT stakeholders.

• Maintain dashboards and control sheets.

• Accompanies, coordinates, and supports internal and external audits of the IT function in his (her) area.

• Follows up progress and closure of recommendations of internal and external audits of the IT function in his (her) area, along with an appropriate reporting.

• Rolling out risk awareness actions to enhance IT-Risk culture in IT teams and business teams (e.g. remind on the need for proper software user acceptance tests before each release; need to know principle in access rights requirements).

Technical & Behavioral Competencies

• Experience in a risk/control/compliance/governance role e.g. OPC, Audit

• IT / IT security experience

• Proficiency in MS Office and related applications (Word, Excel, PowerPoint, Visio and SharePoint).

Specific Qualifications (if required)

• Knowledge of Information Security principles and Information Systems Security standards like:

o ISO 27001

o ISO 27002

o ISO 27005 Risk Management (Information Security Risk Management)

o NIST Cyber Security Framework (CSF)

• ISACA Certified Information Systems Auditor (CISA) certification is a plus

Skills Referential

Behavioural Skills: (Please select up to 4 skills)

Communication skills - oral & written

Ability to collaborate / Teamwork

Ability to synthetize / simplify

Attention to detail / rigor

Transversal Skills: (Please select up to 5 skills)

Analytical Ability

Ability to understand, explain and support change

Ability to develop and adapt a process

Ability to manage / facilitate a meeting, seminar, committee, training

Choose an item.

Education Level:

Bachelor Degree or equivalent

Experience Level

At least 5 years