Aloïs Gawra

- Risk analysis and service provider assessment:

o Risk analysis related to projects and outsourced services.

o Assessment of the cybersecurity maturity of critical service providers and suppliers.

o Review of security documents and identification of gaps with internal requirements.

- Vulnerability analysis and corrective action tracking:

o Exploitation and analysis of vulnerability scans performed with the Qualys VDMR tool.

o Identification of critical vulnerabilities and remediation recommendations.

o Tracking of corrective actions with the IT teams and concerned service providers.

- Monitoring of penetration tests and implementation of security measures:

o Coordination and monitoring of penetration tests (pentests) carried out on applications and infrastructures.

o Analysis of pentest results and identification of security flaws.

o Prioritization of corrective measures and monitoring of their implementation with technical teams.

- Improvement of the PSI process and documentation:

o Participation in the definition and optimization of the security process in projects (PSI).

o Contribution to the creation and updating of security documents and repositories (guides, procedures, risk analysis templates, etc.).

o Awareness and support for project teams to ensure the integration of security requirements from the design phase.

- Contribution to ISMS governance:

o Participation in the development and strengthening of project security processes.

o Assistance to business units and technical teams in applying security requirements.

o Presentation of analyses and recommendations to security managers and project teams.

o Writing policies and documentation.

-Risk management in projects:

o Level 2 control of security in outsourcing projects and new banking product projects, and formalization of a security opinion presented to the Director of Operational Risks at La Banque Postale.

o Assessment of the security maturity of potential new partners.

o Review of project security documents;

o Assistance to the CISOs/CSIRs of the bank, its subsidiaries, and its entities for the implementation of security best practices and the deployment of the ISSP.

o Management of exceptions to the Information System Security Policy (ISSP).

- Project Management:

o Lead the project for changing the risk analysis methodology from EBIOS 2010 to EBIOS RM

o Digitalization of the risk analysis process using the EGERIE tool.

o Maintenance of the relationship with the EGERIE supplier and establishment of contractual security documents

o Management of service providers for the formalization of the new methodology and tool configuration.

o Management and participation in the development of change management

o Management of the project team.

o Budget monitoring

o Presentation of project progress to the Director of Cybersecurity and the Directors of La Banque Postale during project steering committees

- Formalization of risk analyses to assess risks in projects

- Support for business units to integrate security requirements into projects to mitigate risks.

- Management, for France and internationally, of the implementation of security measures related to GDPR (DLP, log centralization, data anonymization...)

- Update of the PSI process to include a PIA (Privacy Impact Analysis)

- Communication to business units on GDPR issues

- Development of a tool for conducting PIAs

- Reporting and presentation of compliance progress to the Entity and Group Steering Committees

- Implementation of a secure file sharing solution (Postfiles):

o Opportunity study, needs assessment, and benchmark of several solutions

o Discussion with the supplier (Oodrive) to schedule the solution pilot and employee training

o User support

o Solution administration

- Configuration of the group DLP with specific ASSU rules:

o Definition of dictionaries of words to be configured

o Gathering of documents to be indexed

o Discussions with technical teams to schedule the configuration and test the new rules

- Management of a POC for an unstructured data protection solution (Varonis):

o Discussion with the supplier (Varonis) for POC programming and solution configuration

o Analysis of POC results in collaboration with the DPO

- Assistance in drafting and negotiating contracts with partners:

o Review of security clauses

o Drafting of PSAs