Position Purpose

 The CIB ITO Chief Conduct & Control Officer is in charge of IT Risk & Cyber Security, Business Continuity, Physical Security and IT Operational Permanent Control, coordinating between the APAC ITO CCCO teams and local stakeholders.

Key Responsibilities

 The ITO CCCO has a direct reporting line to COO of BNP Paribas Bangkok Branch and a functional reporting line to APAC ITO CCCO, based in Singapore.

The ITO CCCO responsibilities include the following:

 IT Risk & Cyber Security

 •    Understanding APAC IT security policy and cybersecurity technical topics in order to both consult and implement cybersecurity programs in Thailand

 •    Coordinating with APAC ITO CCCO and promote IT security culture to users as well as local IT team

 •    Working on ISO27001 framework for yearly implementation and continuous improvement. Coordinating with stakeholders including auditor and track progress

 •    Performing regular security and technology risk assessment for all local assets and ensure compliance as per BNP Paribas Security and Technology Risk Management Policies and local Regulatory guidelines

 •    Reviewing the security and technology risk assessment performed by internal and external service providers for each service under their responsibility before any new service activation or implementation of a material change for existing services 

 •    Setting up Thailand Technology Risk Management Steering Committee meeting twice a year

• Closely monitoring Thailand security KPI such as vulnerabilities, patching, security exceptions and following up remediation actions

 •    Following up on vendor actions related to IT security

 •    Coordinating on IT security training and awareness program. Providing training if necessary.

 Business Continuity

 •    Defining and implementing a BCM Program based upon the BCMS process that is defined by regional team

 •    Ensuring performance and oversight of all activities of the local BCM Program

 •    Defining the criticality and continuity requirements of applications and analyzing gaps between requirements and capabilities in order to report on risks incurred from IT failures.

• Providing guidance, assistance, support, advice, training, etc., to users as appropriate for them to undertake their responsibilities.

 •    Playing the crisis management role for BNPP Thailand crisis management organization during an incident

 •    Reporting key risks identified through the risk assessment and business impact analysis to management as appropriate

 •    Providing all necessary information on business continuity and reports required by local regulators and supervisory authorities

 •    Ensuring that the implementation of BCM program complies with ISO27001 requirements

 •    Working closely with users, local IT team and regional BCM team

 Physical Security Management

 •    Being responsible, in coordination with the relevant stakeholders, for all the physical security topics regarding CIB assets and activities

 •    Organizing the physical security committee at least twice a year

 •    Monitoring the physical security activities, for all the CIB assets located in the territory in a dashboard that helps management to assess the adequacy of the physical security provisions to the risk

• Carrying out the country/territory risk assessment rating at minimum every 6 months

 •    Validating the risk rating with PPSM and reporting the result to local steerCo

 •    Monitoring the physical security risks and identifying the emerging new risks

 •    Conducting regular assessments of the level of exposure of CIB and propose appropriate remediation measures

 •    Recording and analysing the physical security incidents and proposing mitigation if necessary

 •    Due diligence and safety monitoring and escalation to PPSM for areas where BNPP assets may be impacted and lead to business or organization

 •    Contributing to the execution of the PPS control plans

 •    Implementing all additional security controls if needed

 •    Defining the procedures and guidelines in accordance with the local regulations and the CIB or Group framework.

 •    Deploying the policies and defining and setting up local processes, procedures and standards

 •    Implementing the physical security provisions

 •    Conducting  regular robustness tests to ensure operational readiness of the security systems and of the operational teams

 •    Monitoring the regulatory requirements changes

 •    Conducting security reviews of premises

 •    Contributing, when needed, to the security of off-site events organized by CIB

 •    Taking part when necessary in the management of crisis situations

 •    Support readacross and improvement related requirements organised by the Region PSM and/or Global PSM

 •    Conducting security reviews as needed

 •    Monitoring the presence BNP Paribas travellers and expatriates and bringing support when needed

 •    Ensure that new expatriates receive a security brief

 •    Designing and conducting trainings and awareness communications for BNP Paribas’ staff and other stakeholders

 •    Defining and implementing the annual local training program for expatriates.

 IT Operational Permanent Control

• Being responsible for the operation permanent control and self-assessment that related to IT/Cybersecurity

• Supporting the reporting and management of ICT Risks to eligible bodies, with if needed the risk acceptances/cards. This is done notably as part of the RCSA exercise coordinated with Regional IT OPC

 •    Prepare the Territory Technology Risk Committee, including logistic support, escalate relevant points additionally to standard agenda, write the minutes, follow-up with identified actions

 •    Prepare ICT contributions for various Internal Control and Permanent control committees locally or at APAC level

 •    In charge of the deployment and reporting of IT controls (at minimum the major ones : OPC and operational standard ; and specific to requirements of local regulation and local policies when needed) identified to mitigate the risks

• Execute the above-mentioned controls and escalate the failures to the stakeholders adequately to define the remediation and track it efficiently

 •    The preparation of the ICT Permanent control report based on provided templates, where required

 Other

 •    Work on any assignment given by Territory COO such as PDPA and DPO control and reporting activities 

 Competencies (Technical / Behavioural)

1. Knowledge in IT Infrastructure, application or related field

 2.    Knowledge in IT security & IT Risk and Control implementation

 3.    Awareness in IT related security topic such as Cybersecurity Law, PDPA, etc.

 4.    Awareness of ISO27001: 2013 information security: An Information Security Management System (ISMS) is an International Standard that specified the requirements for establishing, implementing, maintaining and continually improving this ISMS. It is the responsibility of all the staff of BNP Paribas Bangkok Branch to contribute to this common objective.

5. Ensure compliance with Bank’s policies/procedures and regulatory requirements, in particular with regard to the KYC/AML/FS responsibilities and duties, as per relevant policies and procedures.

 6.    Willing to learn with ‘can do’ attitude

 7.    Good team work and communication

 8.    Good command in English (both written and spoken)

 Specific Qualifications Required

 * At least 8 - 10 years of relevant experience is preferred.
 * Obtain a degree in Computer science, Computer engineering or related program.
 * Experience in IT Security, Compliance, and Risk Management is preferred.