CLOUD SECURITY RISK LEAD ASSESSOR

The RISK ORM (Operational Risk Management) Technology Risk Intelligence Digital Solutions department is part of the Group Risk Functions within BNP Paribas. It is a part of the 2nd line of defence under the Bank’s Enterprise Risk Management and Chief Operational Risk Officer. The department has responsibility for identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions. Our work involves following initiatives, for example:

• Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks
• Tracking issues and agreed actions to completion
• Horizontal and Vertical Risk Assessments
• Assessing technology risks in relation to a particular theme or technology across the third party suppliers. Examples could be assessments of the firewall change process, applications processing >$5m per day, applications hosted in the cloud, etc.
• Assessing risks to a product, service, technology or infrastructure. For instance, we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc.) or our Internet connectivity.
• Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions.

ROLE

Integrated in the Global Iberian Centre of Excellence, the candidate will be responsible for the role of BNP Paribas Group Cloud Security Risk Lead Assessor.

This role is in alignment with 2LoD involvement required on BNP Paribas dedicated hybrid Cloud that is core of Cloud Strategy. The scope of the role involves coordinate, oversight and advice:

1. BNP Paribas Group dedicated hybrid Cloud Program, Cloud adoption and operations with periodic and event based risk reporting to management and risk committees in alignment with IT Group Cloud Program & team, Group CISO & team, IT Group Production & teams and Cloud Service Provider teams.
2. Community building, collaboration and partnering as dedicated hybrid Cloud security expert with RISK ORM and cross functional stakeholders on policies, procedures, control requirements, poles and entities dedicated hybrid Cloud adoption, Operational resilience, crisis management, data centre and telecom plan, Cloud security operations, third party technology risk management, emerging technology, pole and entities IT strategy & strategic programs, etc.
3. Technical assurance, operational assurance and reporting to management and risk committees for mission driven risk assessments, reviews and audits associated with dedicated hybrid Cloud services (laaS, PaaS, SaaS, Container services, etc.), applications using dedicated hybrid Cloud services in poles and entities and dedicated hybrid Cloud services operations.

The position is based in Madrid reporting directly to the Global RISK ORM Iberian Centre of Excellence and functionally to RISK ORM Technology Risk Intelligence Digital lead located in London.

SCOPE

KEY RESPONSIBILITIES

• Coordinate, oversight and advice RISK ORM contribution and oversight on BNP Paribas Group dedicated hybrid Cloud Program, Cloud adoption and operations with periodic and event based risk reporting to management and risk committees in alignment with IT Group Cloud Program, Group CISO, IT Group Production teams, Cloud service providers, etc.
• Participate in multiple Group Cloud program and operations governance committees for dedicated hybrid Cloud with IT Group Cloud Program, Group CISO, IT Group Production teams, Cloud service provider, etc. covering topics of Cloud strategy, Cloud security & ICT (Information and Communications Technology) risks, Cloud adoption, operational security, remediation actions, etc.
• Periodic (weekly, monthly, quarterly, half yearly, annual) and need or event based risk reporting to management and group risk committees on dedicated hybrid Cloud services adoption status and plan, risks, issues, Cloud security maturity, remediation actions, etc.
• Define minimum baseline dedicated hybrid Cloud security controls in collaboration with IT Group Production security teams, Cloud security experts, Operational risk officers, ICT risk officers, etc.
• Define process and workflow to automate monitoring and reporting of compliance to minimum baseline dedicated hybrid Cloud security controls on Cloud security posture management solutions in collaboration with IT Group Production teams, Cloud service provider, ICT risk officers, operational risk officers, etc.
• Define and update risk reporting template and metrics for Cloud security and risks of dedicated hybrid cloud services (Infrastructure, platform, software, containers, etc.) and applications using dedicated hybrid cloud services
• Identify and update risk reporting methods using automated solutions, leveraging existing or new solutions of Governance, Risk and Compliance (GRC) tools for dedicated hybrid Cloud services asset register, risk register, remediation tracking, etc. Cloud Security Posture Management solutions, operational risk management solutions, IT service management solutions, reporting & dashboard solutions, etc.
• Promote and manage the Cloud community building, collaboration and partnering as dedicated hybrid Cloud security expert with operational Risk stakeholders and cross functional teams on policies, procedures, control requirements, poles and entities dedicated hybrid Cloud adoption, operational resilience, crisis management, Cloud security operations, data centre and telecom plan, third party technology risk management, emerging technology, pole and entities IT strategy & strategic programs, etc.
• Lead and liaise with pole and entities Operational Risk officers periodically (weekly / monthly) and on need or event based for dedicated hybrid Cloud governance committee meetings and reporting to management of Cloud adoption by business & IT applications in Poles and entities, Cloud security risks, issues, remediation actions, etc.
• Lead and liaise with third party risk management teams periodically (weekly / monthly / quarterly) and on need or event based for Contract committees, security committees with Cloud providers and Independent Software vendors (ISVs), 3rd parties management committees and reporting to management on Cloud provider risks, 3rd parties, ISVs risks, issues, remediation actions, etc.
• Lead and liaise with Operational risk and ICT risk officers periodically (weekly / monthly) and need or event based for dependencies on Cloud security operations, Data centre rollouts, telecom plan or other program dependencies for dedicated hybrid Cloud and reporting to management on such dependencies and associated risks, issues, remediation actions, etc.
• Lead and liaise with operational risk officers and ICT risk officers periodically (weekly / monthly) and need or event based for dependencies of poles and entities IT strategy, strategic programs on dedicated hybrid Cloud and reporting to management on such dependencies and associated risks, issues, remediation actions, etc.
• Lead and liaise with operational ICT risk officers and teams of Digital Solutions, emerging technology teams including AI, API, Blockchain, digital assets, etc. periodically (weekly / monthly) and need or event based for dependencies on dedicated hybrid Cloud and reporting to management of such dependencies and associated risks, issues, remediation actions, etc.
• Lead and manage technical assurance, operational assurance and reporting to management and risk committees for mission driven risk assessments, reviews and audits associated with dedicated hybrid Cloud services (laaS, PaaS, SaaS, Container services, etc.), their adoption and operations in the organization globally.
• Execute missions for Cloud security risk assessments, reviews or audits of dedicated hybrid Cloud services (infrastructure, platform, databases, software, containers, etc.), applications using dedicated hybrid Cloud services, Cloud service providers, Cloud security solutions like Cloud Identity and Access Management, cloud data encryption, Cloud security posture management, Cloud resilience solutions including backup, replication, etc.
• Assess design, architecture and operating effectiveness of controls to provide technical and operational assurance on Cloud security and risk associated with dedicated hybrid Cloud services, applications using dedicated hybrid Cloud services, Cloud service providers, Cloud security solutions, etc.
• Overall high quality report writing, documentation and presentation for dedicated hybrid Cloud security topics of operational risk frameworks and operating models, cloud security baseline controls, identifying control gaps, residual risks, questions to identify root causes, risk implications, short term and long term remediation measures, recommendations and appropriate risk opinions

EXPERIENCE, QUALIFICATIONS & COMPETENCIES

Essential

• Good knowledge of ICT risks, IT Control, Information Security, Business Continuity, IT operations and IT Audit and assessment methodologies and concepts
• Experience working with ICT risks, business continuity, IT Management and operations, IT risk and IT audit teams
• Ability to articulate risk management concepts in business language
• Excellent written and verbal communication skills
• Proficient with Microsoft Office Suite
• Prior experience documenting tool requirements to support risk management
• Ability to travel to BNP Paribas and vendor sites, and perform assessments as necessary
• Proven ability to manage issues through to resolution; skilled at making judgment calls
• Ability to successfully multitask and complete difficult assignments within deadlines which may have short lead times
• Industry certifications (e.g. CISA, CRISK, COBIT) or willingness to obtain the same
• Works iteratively, delivering quickly and frequently to produce high quality documents and outputs which require little to no rework
• Multilingual capability is a plus

Preferred

• At least one of the following is required CISA, CCSP, CISSP, CISM, CRISC, ISO 27001, CEH, TOGAF, SABSA, University degree or equivalent in IT discipline
• Combination of deep technical skills and business savvy to communicate with management, architecture, operations / engineering and development teams
• Completed and certified in at least one of the Cloud provider certification (practitioner / security / developer / operations, etc.) including with large Digital Solutions providers, like IBM, Amazon, Microsoft
• Team player – focus on the success of the whole team. Working well both with others, as well as individually