Information Security Risk Officer

Job description

The Information Security Officer supports the CISO Luxembourg in ensuring the security, integrity, and resilience of the Bank’s information systems across multiple jurisdictions. The role works independently on operational tasks and helps maintain compliance with regulatory requirements, including DORA and local financial sector regulations. The position involves performing daily security activities, preparing documentation and reports for review by the CISO Luxembourg, and participating in the organization’s ICT risk management, incident response, business continuity, and third-party monitoring activities.

Key aspects of the role

The role requires communication with Group Information Technology and Group Information Security & BCM (Geneva) regarding central security services and group-wide projects, as described in the respective Service Level Descriptions (SLDs).

Tasks

The most important tasks include:

• ICT Risk Management and Regulatory Compliance
• Third-Party Risk Management (TPRM)
• Major Incident Management and Regulatory Reporting
• Business Continuity Management (BCM) and Operational Resilience
• Security Operations and Surveillance
• Governance and Security Awareness

Tasks in detail

• ICT Risk Management & Regulatory Compliance:
  • Contributed to the annual ICT Risk Framework Report by collecting data and drafting sections for review by the CISO
  • Monitoring regulatory developments (DORA, local circulars) and preparing impact analyses
  • Maintaining compliance documentation and supporting regulatory reporting activities
  • Assistance in preparing materials for regulatory communications and audits
• Third-Party Risk Management (TPRM):
  • Conducting security due diligence and risk assessments for new and existing ICT service providers
  • Monitoring third-party compliance with contractual security requirements and SLAs
  • Monitoring security incidents at third-party locations and escalating them as needed
• Major Incident Management & Regulatory Reporting:
  • Implementing incident response procedures and participating in security incident investigations
  • Assistance with classifying incidents according to DORA major incident criteria
  • Preparation of regulatory major incident notifications (initial, intermediate, final) for validation by the CISO
  • Maintenance of incident logs and support for aggregated annual cost and loss reporting
  • Conducting post-incident reviews and tracking corrective actions until completion
• Business Continuity Management (BCM) & Operational Resilience:
  • Support in the development and maintenance of IT business continuity plans (BCP)
  • Participation in BCP testing activities and documentation of test results