IT & Cyber Permanent Control Officer

Mission context

The BNP Paribas Fortis (BNPPF) Governance, Risk and Compliance team supports IT and Business Units in the protection from operational risks linked to IT and Cyber Security. In this context, Permanent Control Officers help management and staff in the adoption and implementation of a permanent control framework that best corresponds to the bank environment and risk profile, always in accordance with the Group's and BNP Paribas Fortis' second line of defence directives.

In particular, this support covers:
The identification and assessment of the risks operational management and its staff encounter as a result of the activities for which they are responsible;
The definition and implementation of the means to maintain these risks within acceptable limits as defined by the Group or the Executive Committee of Fortis Bank SA;
The initiation and/or monitoring of the progress of all actions aimed at reducing risks resulting from internal audit recommendations, external audit recommendations and those triggered by the operation of the permanent control framework and alerts issued by it.

Function description

As an IT and Cyber Permanent Control Officer you will carry on the activities listed below:

Identification and assessment of risks (Risk Mapping)

• Identify essential processes, applicable risk events and relevant controls.
• Carry out risk identification and assessment work (meeting of experts, standardisation, obtaining management validation)

Potential incidents

• Define & quantify potential incidents (scenario analysis) based on expert meetings, theoretical studies related to environmental and internal control factors and other quantification factors
• Obtain validation for potential incidents
• Contribute to the definition of action plans
• Monitoring of action plans

Historical incidents

• Translate the normative framework into operational instructions (definition of local collection thresholds, organisation of collection, etc.)
• Identify and support business to record incidents
• Analyse the incident with the operational manager
• Contribute to the definition of action plans
• Monitoring of action plans
• Carry out the first level controls on collection (comparison with accounting or other databases, attestation process, etc.) and validation of incidents

Controls

• Coordinate the transposition of Group generic control plans and implement them
• Extend generic control plans in accordance with Risk Mapping
• Ensure the implementation and execution of controls (within or outside OPC)
• Analyze and report on results of controls
• Assist in the definition of action plans and the monitoring of their implementation

Regulatory & internal recommendations

• Ensure the operational organisation of the follow-up of recommendations and permanent control actions
• Manage local and Group reports adapted to the required audience (operational/executive)

Organization and procedures

• Ensure the operational implementation of the process to manage procedures
• Define requirements in terms of procedures, in particular in accordance with the general framework

Reporting

• Define and report on ongoing monitoring and operational risk management
• Able to provide detailed reports / insights as well as a helicopter view on different Risk related subjects
• Able to translate technical language to a non-IT audience
• Present & obtain validation from Senior Management of consolidated reports

Governance bodies

• Ensure that permanent control and operational risk issues are addressed in the governance bodies of the required first line of defence.
• Support IT in the organization of New Activity Committees.

Language requirements

• Dutch: Good speaking and writing (optional)
• French: Fluent speaking and writing (mandatory)
• English: Fluent speaking and writing (mandatory)

Education

• Master degree in IT or science or an engineering degree, with a strong IT background or proven equivalent experience / skills in the area.

Certification

• (Optional) ISO27001 / CISA / CISM / CISSP

Telework

• Expectation: 50% on site & 50% homeworking

Required experience / knowledge

• 3-5 years of experience in Information Security and in IT process management.

Technical experience
mandatory

• 3-5 year experience in IT and security technology and processes
• 2 years’ experience in risk management, proven evidence of being able to perform IT and Cyber risk assessments;
• Experience in deriving control definitions from requirements, and execute test procedures;
• Experience in Metrics definition and dashboarding;
• Good knowledge of Excel (pivot tables, formulas) and Word, PPT;
• Knowledge of Agile
• Quick learner in the use of a multitude of reporting / risk management and collaboration tools

preferable

• Experience in developing and implementing policies and / or processes in IT area;
• Certified ISO27001 / CISA / CISM / CISSP;
• Knowledge of NIST control framework, PCI Standard, CIS20, SIG;
• Knowledge of GRC Tools such as RSA Archer or Service Now GRC

Business experience
mandatory

• 2-5 years’ experience in IT and Information Security environments;
• Experienced in interpretation and control review regarding regulatory requirements, ISO/IEC standards (eg: 27001 Information Security Management Standard,…), laws and regulations;
• Capability to quickly understand end-to-end process flows and control needs;
• Experience in Reporting, Memo drafting and providing presentations addressed to senior management.

preferable

• Preference will be given to candidate that have a good knowledge / practical experience of different bank entities / processes if possible.

Soft skills

• Quick self-starter, pro-active attitude; team player;
• Excellent English writing skills;
• Good communication and influencing skills; ability to capture and adapt to stakeholder expectations while maintaining compliance with bank processes;
• Good analytical and synthesis skills, ability to produce structured and concise documents; precise and methodological;
• Proven experience of being able to coordinate of/collaborate with different teams and external resources.
• Ability to work in a dynamic and multi-cultural environment;
• Autonomy, commitment and perseverance in personal organization;
• Results and time-oriented; high performer.