CONTRACTS x 3. IT AUDIT/RISK Banking experience. CISA
Contract in FRANCE for 3 months plus.
Need to be available in 4 weeks
850-900 euro per day plus expenses.
- Obtain the assurance that there are sufficient technical measures in place to ensure perimeter security and to identify vulnerabilities (to timely fix them) and to detect intrusions within our client’s IT network (to timely stop them);
- Obtain the assurance that processes and measures ensure that administrative access rights (handled by our client) are adequately managed;
- Obtain the assurance that processes and measures ensure that remote accesses (which enable access to our client’s IT services – including on-line banking and Fintechs) are appropriately secured;
- Obtain assurance that there are sufficient measures to safeguard physical security level of our client’s datacentres (physical protection from unauthorised access, damage and interference as well as the protection from physical and environmental threats) which host production servers as well as development and test environments;
- Obtain assurance that there are appropriate measures that ensure that changes of the elements of our client’s IT systems are planned, tested, implemented, documented and monitored in a controlled manner and that the outcome is recorded and evaluated thoroughly;
- Obtain assurance that the capacity and performance management processes activate our client’s IT infrastructure’s potential to cope with the load;
- Obtain assurance that the institution has an appropriate process for identification, classification, evaluation and prioritization and resolution of incidents;
- Obtain assurance that the institution has an appropriate process for identification and classification of problems, root cause analysis and resolution,
- Obtain assurance that a sound process (within our client) for the orderly registration and administration of the elements underlying the IT system exists (configuration management).
- To write (in English):
- Findings based on shortcomings identified during the investigations;
- At least, one paragraph for each expected control requested by the Head of Mission which summarizes the implemented processes, related controls and its overall assessment;
- To provide the audit trail of the performed investigations (gathered documentation, minutes of interviews, written answers, analysis, architecture charts…) and evidences of each finding.
- The consultants are expected to use variety of inspection techniques including, but not limited to, observation, information verification and analysis, targeted interviews, walk-through testing, sampling and validation of data.
- Other tasks as will be specified by the ECB or the Head of Mission during the course of the service provision.
Generic knowledge required:
- Audit techniques (interview, documentation review, walk-through, case by case examination);
- Writing skills.
Technical knowledge required:
- IT Audit (Certified Information Security Auditor) within banks, with expertise on the following topics:
- IT security infrastructure which ensures perimeter protection (firewalls, DMZ, IDS/IPS…);
- Vulnerability identification and patch management;
- Penetration test report review;
- Security of remote access (including on-line banking and mobile banking services) and strong authentication features;
- Administrative access rights with regards to RACF, Unix servers, Active Directory, databases, storage platform, IT security components, network components etc.;
- Datacentre physical security measures (tools for physical access right management, physical measures to protect building and server rooms against internal and external threats inter alia, thunderstorms, fire, extreme temperature, earthquakes, explosions, flooding or theft, protection measures for power, telecommunication, cables, tools for identification of internal and external threats);
- IT operation processes:
- Change management;
- Capacity management (on-going capacity management, periodic capacity analysis, capacity evaluation before change implementation);
- Identification, classification, evaluation, prioritisation and resolution of incidents;
- Identification and classification of problems;
- Configuration management.