Laurent Vernique

Within the CSSI team responsible for managing derogations or exceptions to the IS Security Policy: Information System Security Policy of La Banque Postale, supporting the deployment of the IS Security Policy within the IT department, maintaining KRIs (Key Risk Indicators) and Security Reporting for the IT department as well as for subsidiaries. This is an RPS (Security Pivot Relay) mission for DSIBA, meaning acting as a security officer for IAM (Identity & Access Management) and PAM (Privileged Access Management) for La Banque Postale's IT department. This activity will be carried out in conjunction with correspondents in the various DSIBA departments, correspondents from the Cybersecurity Department, and CISOs. The mission will primarily consist of: - Implementing a new governance organization for DSIBA's IAM and PAM, around Sailpoint & CyberArk products - Participating in the development of new access profiles according to business needs - Identifying toxic combinations and privileged accounts (PAM) - Developing a derogation management model - Defining the new access review organization

2nd: Define and apply the necessary security controls to ensure a level of security corresponding to the group's expectations. Monitor the evolution of the Bitsight rating for the group's applications exposed on the internet. Respond to employee requests as needed. Monitor the various user account certification campaigns.

PAM (Privilege & Access Management) Program within the IT Department:

1 - Context and objectives of the service

"User" privileges

Reduction of privileged accounts and securing exceptions (controls) according to the rules set by the Group CISO

Monitoring and handover to RUN of the project (Securing privileged accounts)

Study of project V2.5 daily password renewal and MFA implementation

2 / "Generic Accounts" privileges

Securing generic accounts (management of their life cycle) and their associated privileges according to the rules set by the Group CISO.

The contribution to these projects includes participation in scoping and applicability workshops based on the IT department's context; proposal and validation of objectives by the CISO; implementation of internal governance (communication, change management, implementation, definition and implementation of controls); reporting/alerting on objective achievement.