IT Security Officer

CIAT Framework: Following the 2021 ACPR inspection, the CIAT framework was established within LCH SA to assess the CIAT (Confidentiality, Integrity, Availability and Traceability) needs for the Business applications. This is also required by the recent DORA regulation.

The objective of the framework is to determine the CIAT criteria per Business applications (owned and consumed by LCH SA) and then to determine the security measures to meet the requirements related to CIAT items.

Recently, the CIAT framework covers the technical applications (owned and consumed by LCH SA). In addition, there is an annual process (campaign) to review the CIAT sheets noting that the frequency of the review is based on the tiering (Tier 1 on annually basis, lower tiering every two years).

On top of that, the CIAT framework is monitored through the following governance chaired by LCH SA (CIAT working Group and EsCo). Finally, all CIAT documentation needs to be reviewed on a regular basis.

As a metric, as of today, there are around 150 CIAT sheets to maintain up-to-date and all new CIAT sheets from change management framework (projects).

Control framework:

The regulation (arrêté du 3 novembre modifié - Arrêté du 3 novembre 2014 relatif au contrôle interne des entreprises du secteur de la banque, des services de paiement et des services d'investissement soumises au contrôle de l'Autorité de contrôle prudentiel et de résolution - Légifrance) requires a robust control framework to oversee the outsourced activities. In that context, LCH SA leverages on a cyber control library to assess the security processes delivered by LCH SA outsourcers (ATOS, LCH Ltd and BSL and OVH in the future).  

The delivery of the control framework is based on the following steps based on the Group framework with different frequencies (monthly, quarterly, semi-annually, and annually) depending on the criticality of the controls:

• Control assessment from the contracts (L4 metrics)
• L3 Control Independent Testing,
• L3 Control assurance (Cyber),
• L3 Control assurance (Tech).

As a metric, as of today, there are 51 Level 3 controls and additional L4 metrics from the contracts to assess, to report and to enhance with the three outsourcers though several monthly committees. The topics of those controls are large to cover the main cyber categories as indicated in the NIST framework as such cyber governance, vulnerability management, IAM, PAM, Technology restrictions etc.

LSEG is a leading global financial markets infrastructure and data provider. Our purpose is driving financial stability, empowering economies and enabling customers to create sustainable growth.

Our purpose is the foundation on which our culture is built. Our values of Integrity, Partnership, Excellence and Change underpin our purpose and set the standard for everything we do, every day. They go to the heart of who we are and guide our decision making and everyday actions.

Working with us means that you will be part of a dynamic organisation of 25,000 people across 65 countries. However, we will value your individuality and enable you to bring your true self to work so you can help enrich our diverse workforce. You will be part of a collaborative and creative culture where we encourage new ideas and are committed to sustainability across our global business. You will experience the critical role we have in helping to re-engineer the financial ecosystem to support and drive sustainable economic growth. Together, we are aiming to achieve this growth by accelerating the just transition to net zero, enabling growth of the green economy and creating inclusive economic opportunity.

LSEG offers a range of tailored benefits and support, including healthcare, retirement planning, paid volunteering days and wellbeing initiatives.

We are proud to be an equal opportunities employer. This means that we do not discriminate on the basis of anyone’s race, religion, colour, national origin, gender, sexual orientation, gender identity, gender expression, age, marital status, veteran status, pregnancy or disability, or any other basis protected under applicable law. Conforming with applicable law, we can reasonably accommodate applicants' and employees' religious practices and beliefs, as well as mental health or physical disability needs.

Please take a moment to read this privacy notice carefully, as it describes what personal information London Stock Exchange Group (LSEG) (we) may hold about you, what it’s used for, and how it’s obtained, your rights and how to contact us as a data subject.

If you are submitting as a Recruitment Agency Partner, it is essential and your responsibility to ensure that candidates applying to LSEG are aware of this privacy notice.