Information Security Control & Compliance officer
The implementation of a suitable ISMS requires to define an integrated normative andcontrol framework, based on authoritative sources (e.g.: directives, laws,‚Ä¶), via policies and standards. The effective operational implementation of these policies and standards must be ensured through a compliance monitoring that measures the degree of conformity and effectiveness. The final objective being to provide reasonable assurance on the achievement and realization of important security and continuity risk control objectives.
Complementary to these activities, the GRC team is very active in:
- the identification of information security risks on assets/applications, projects and 3rd-parties;
- the development and implementation of Mandatory security controls in order to mitigate risks and demonstrate compliance.
To support these activities, The BNP Paribas Fortis Governance, Risk and Compliance teamis looking for an Information Security Control and Compliance Officer.
As an Information Security Control and Compliance Officer you will carry on the activities listed below:
Develop, Implement and Maintain Information Security Controls (with a special focus on IT and Third party security). In order to ensure that the organization, processes, and assets are managed in accordance with the security policies, and that therefore the risks are controlled:
- Support first-line in the definition and implementation of security controls;
- Coordinate and monitor the execution of first-line controls;
- Follow-up and report to management and second line of defence the results of first-line controls and status of remediation actions (e.g. Third Party Control plan);
- Provide advice on improvement of existing security controls
- Participate and lead some parts of the project wrt Group Major controls (Network Segmentation, Application security, Management of Logs,‚Ä¶).
Contribute to the tasks of Global Security Information Security Normative Framework
- Acquire and maintain knowledge of Global Security (GS) information security policies, their evolution and alignment with Authoritative sources, other frameworks and legislation;
- Perform gap analysis to ensure that the essential security requirements and risks are addressed and covered through the Control plan;
- Provide a multidimensional compliance view (towards Group, toward PCI DSS,‚Ä¶);
- Maintain a traceable inventory of changes related to controls and updates in GS normative framework.
French or Dutch: Fluent speaking and writing.
French French or Dutch: Fluent speaking and writing.
English Fluent speaking and writing (mandatory)
Certifications in ISO27k series, Information Systems Security Professional CISSP, CISA‚Ä¶
- 2-5 year experience in IT security technology and processes (good knowledge of Identity & Access Management is a plus);
- Experience in Metrics definition and dashboarding;
- Good knowledge of Excel (pivot tables, formulas) and Access;
- Knowledge of SharePoint (as a user).
- 2 years' experience in developing and maintaining policies and / or processes (preferably in IT area);
- Experienced with regulatory requirements, ISO/IEC standards (e.g.: 27001 Information Security Management Standard,‚Ä¶), laws and regulations;
- Coordination of / collaboration with external resources
- Certified ISO27001 Lead Implementer;
- Knowledge of NIST control framework, PCI Standard, CIS20, SIG;
- Experience in designing and implementing controls;
- Knowledge of GRC Tools such as RSA Archer;
- Project Management/coordination skills (ability to run projects mostly intra-team).
- 2-5 years' experience in IT, Information Security environments;
- Capability to quickly understand end-to-end process flows and control needs;
- Experience in drafting memos and reports addressed to senior management level.