RESPONSIBILITIES
The Data and Cyber Security (DCS) team has the following main responsibilities:
- Identification, reporting and management of Asia cyber risk
- Third party cyber risk assessment and management
- Asia cyber risk awareness campaigns and training
- Advice on cyber security to business service unit (e.g. as part of new projects suggests controls to mitigate risks)
- Cyber incident response (including management of data leakage incidents)
- Management of response on cyber topics to Asia and international regulators
- Response to client due diligence requests on cyber security
Your Responsibilities:
Security Control Review:
- Define scope, roadmap, and testing plan to assess key cybersecurity controls on an ongoing basis
- Perform test of design and effectivenss on key cybersecurity controls
- Work to embed control testing within the organisation with a focus on automation and efficiencies
- Work with various teams to define follow-up actions to remediate control weaknesses identified
- Maintain, review and renew risk acceptances for control risks that cannot be fully mitigated
Project Security Assessments
- Work with relevant teams to perform security assessments, reviewing high and low level architecture designs, and provide recommendations to mitigate identified risks on new projects being rolled-out
- Depending on the nature of the project, security assessments should cover application and data security requirements to ensure compliance with the Bank's internal policies and framework
- Ensure compliance with cybersecurity related regulations that may be relevant to the project
- Perform follow-up on remediation actions that may result from the security assessment
Third Party Risk Assessments
- Perform information security reviews on requests for outsourcing, including review of the vendor's security capability and risk of data leakage
Regulatory Reviews
- Perform reviews to assess the Bank's compliance against cyber regulatory topics across Asia
- Work with Compliance to identify new and arising regulatory requirements with impact to cybersecurity
Participation in committees - Participate in regional and global governance meetings and normative committees where required
- Provide updates within the team and liaise regularly with other teams in Asia, including application managers, technology, compliance, operational risk managers, risk management and third party management
PROFILE REQUIRED
- Proficient in performing security architecture and security design reviews
- Knowledge of application, system and network auditing
- Strong understanding of IT infrastructure and IT applicative framework architectures
- Familiarity with cloud computing and container technologies (docker and kubernetes)
- Good understanding of application vulnerabilities and common exploits (e.g. OWASP Top 10)
- Knowledge of security hardening standard (e.g. Centre for Internet Security benchmarks, NIST)
- Experience with security control reviews and audits
- Experience in performing third party reviews / assessments
- Familiar with cybersecurity regulatory topics in Asia (e.g. HKMA C-RAF, MAS TRM, etc)
- Computer programming experience desirable
- Excellent English verbal and written communication skills, experience in communicating complex technical topics at senior organizational levels,up to and including MD level
- Client oriented mindset, results driven, proactive and quick to react to requests
- Innovative and bringing new ideas to improve processes
- Bachelor degree in Information Technology or equivalent
- Professional qualification such as CISSP, CISM, ITIL
- Experienced security professional with 8+ years of relevant experience
BEHAVIORAL SKILLS
Responsibility - Risk awareness: I am constantly on the lookout for risks
Responsibility - Performance: I strive for high performance
Team Spirit - Synergies: I make cooperation with colleagues in and outside my team a priority
Team Spirit - Open mindset: I listen and share my views and my expertise in an open mode
Client - Understanding and Respect: I listen to clients and colleagues in order to understand and anticipate their needs
Client - Risk: I strive to satisfy clients while taking into account risks for the company
Company Description:
Societe Generale is one of the leading European financial services groups. Based on a diversified and integrated banking model, the Group combines financial strength and proven expertise in innovation with a strategy of sustainable growth. Committed to the positive transformations of the world’s societies and economies, Societe Generale seeks to build together with its clients, a better and sustainable future through responsible and innovative financial solutions. Active in the real economy for over 150 years, with a solid position in Europe and connected to the rest of the world, Societe Generale has over 117,000 employees in 66 countries and supports 25 million individual clients, businesses and institutional investors worldwide (figures as of August 2023). We have a presence in 11 locations across Asia Pacific. With our regional headquarters in Hong Kong – a core hub of the worldwide Societe Generale Group – we employ around 2,300 employees in the region. In addition, Societe Generale's Global Solution Centre (SGGSC) in Bangalore and Chennai supports the Group in Asia Pacific and globally with customised business solutions.
Department Description:
The Global Business Service Unit (GBSU) Risk & Production Management (RPM) is part of the first line of defense (LOD1) and accompanies SG Asia management in the development and transformation of its business whilst ensuring non-financial risks are appropriately identified and managed operationally, with a focus on:Transversal risks management (Resilience, Cyber, Oversight/Outsourcing) for the wholesale platform
Operational Security Management (OSM) functions for GBSU Asia
LOD1 project coordination (e.g. Permanent Control Transformation, Operational resilience) for the wholesale platform
In Asia, LOD1 risk management and control functions are provided by RPM as a service under the governance of, and with accountability from, Asia management.The RPM function is split across 5 teams:Governance, Risk and Controls team (GRC) => in-charge of operational and non-financial risks management for GBSU functions
Data and Cyber Security (DCS) => in-charge of data and cyber security risk management for the Asia platform
Third Party Management (TPM) => in-charge of monitoring risks from providers (intra group and external) and also oversight of the Operations processing chain for Asia originated activities.
Business Continuity Management (BCM) => in-charge of business continuity risk management for the Asia platform
Processes and Practices Steering Team (PPS) => in-charge of providing and maintaining IT solutions to support the business growth of GBIS.