· Define/own/operate the Granular Recertification process - Expectation at this point is the GiAM feed will likely just cover surface level of whom has access to a VDR platform (Eg Intralinks) and not to their role (admin/user etc..) or crucially from BIRO and ISR perspective, which rooms/exchanges they can access. If that’s confirmed to be the case this drives need for a manual process to supplement GiAM recert with business & VDR providers the ITSO / BAU resource need to own and operate.
· Institute and own dormant (and covers Orphan's too) accounts purging process - We need a process to highlight and potentially disable and purge accounts not active for 'x' time period. We've confirmed this cannot be driven by AD and needs instead to be driven via user lists provided by VDR vendors manually processed with service owner/business and corresponding GSR to remove AD LDS group and subsequently remove VDR external account access.
· Institute and own Break Glass Exception account - (Exceptional access for business outside of HSBC Single Sign On) - Has been challenged as a requirement and is with BIRO & Compliance to validate. If confirmed required there is only one possible solution and via internet accounts (as per today) for which there will need to be stringent manual control process owned and operated by ITSO and BAU resource.
· Implement rogue account creation mitigation - Again stringent and manual control process to mitigate risk of a rogue user creating an internet (non-HSBC) account for their HSBC colleague to then exfiltrate data bypassing our controls. Would need to be owned by ITSO and operated between BAU resource, business and BIRO.
· Publish Governance Framework proposal – This framework will be defined to outline the expected standard controls (SSO / GiAM / QRadar) to be implemented for a VDR provider to be onboarded and I’d aim to also outline the manual control processes listed above. I’ve just mind mapped the high level of what this should include and admittedly it’s a couple of months old now) but as ITSO I’d want your input and agreement to it as your team would in effect be implementing it and it would be mad to not have you inputting and reviewing the proposal.
· Implement Event logging API– Intralinks maturity of offering in this space needs enhancing which they recognise and having seen HSBC expectation (we defined some requirements from a project perspective based on the Security logging standard) have indicated they could look at enriching it. Would need internal sponsorship within Intralinks and I expect could be leverage for wider contractual negotiations re. global pricing
· Liaise with the Data Security team (Sam Marshall / Andy Perry – not sure if they’ve already made contact with you) have additional concerns around VDR’s and the inherent data security risks. I know they’re keen to talk to you in respect of reducing risk, I’m working with them closely on my project and they’re aware of the deliverables but will I’m sure make contact to discuss their requirements. Just giving a heads up as I was keeping them informed of progress re. IT Service Ownership and the Gabriel / David B discussions.
The following skillsets that would suit the above role. Let me know if you have maybve a template that we could use to expand it.
· A Bachelor’s degree in Computer Science or Business supplemented by technical course work and proven and progressive experience, including in project management and three to five years in a specialized critical technology with a proven track record utilizing the specialized discipline.
· Masters degree strongly preferred.
· Recognition by peers as an expert in , systems design, database languages or techniques for applications systems design.
· Strong communication, project management, analytical, lateral thinking, planning and problem solving skills. Strong knowledge of project management, businesses supported, and industry trends. Detailed knowledge of a critical technology discipline and broad knowledge of various technology disciplines.
· Demonstrated ability to lead and implement technology and the development of a comprehensive methodology regarding how and where area of expertise will benefit the business and have orchestrated the utilization of this technology and developed metrics for tracking its success.
· compliance, operational risk controls
· The ability to apply multiple technologies to business situations, identifies and applies productivity improvements, and blends the technical environment with strategic direction.
· Provide leadership in setting strategic architectural and software direction. Lead one or more technical business application areas and projects of high complexity or criticality. Controls critical cross-functional projects, related project risk and resulting impact on business and strategic plans.
· Serve as expert in area of responsibility, identifies process improvements and problem prevention, and advises department and management of relevant information as appropriate.
· Assist in the management of the partnership with the business unit.
· Ensure compliance, operational risk controls in accordance with HSBC or regulatory standards and policies; and optimize relations with regulators by addressing any issues.