BTO, academic driven consulting company offering digital transformation advisory and project management services in the IT field, is looking for a consultant to join our client in the banking field. 


Main Activities:

  • Assess and implement information security management framework based on industry standards (e.g. ITIL, SSCP, ISO,…)
  • Perform IT Risk Analysis and BIAs
  • Understand and follow up BCP / DRP processes
  • Follow-up IT security controls (NIST standard)
  • Evaluate compliance with CSSF circulars, EBA guidelines, European regulations, Group policies and standards by conducting benchmarks, gap analysis and making recommendations;
  • Join projects and work as PMO for security related aspects
  • Liaise with the IT teams to obtain information on operational controls and controls in progress
  • Establish and formalize new processes and new policies.


  • Bachelor or equivalent certification in computer science, information systems or any other related major;
  • Fluent in English; Fluent in Italian or French;
  • At least 1 year of experience in the IT Security field;
  • Basic knowledge and understanding of GDPR principles
Place of work: Luxembourg, LU (Luxembourg)
Highlight this job 

Send your CV

Information notice for candidates pursuant to art. 13 of EU Regulation 2016/679  (“Regulation”)

We inform you that this privacy notice is provided pursuant to art. 13 of the EU Regulation 2016/679  (hereinafter "Regulation" or "GDPR") towards subjects who apply for work collaboration. The Data Controller is BTO Spa (hereinafter "Controller") with registered office in Via delle Asole 4, 20122 - Milan.

The Controller can be reached at the following mail address:

1        Categories and types of data processed

Data processed by the Controller may include: common data, such as personal information (e.g. name, surname, date of birth, address, image, sex, marital status, fiscal number, etc.), contact information (e.g. landline/mobile telephone number, e-mail address, etc.), work and professional data (data related to the level of education, data related to previous professional experiences, feedbacks related to the interview).

Except for the belonging to protected categories, the provision of other particular types of personal data, as defined in art. 9 GDPR, is not required. Pursuant to art. 9 GDPR, “Special categories of personal data” are considered: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and (…) genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.”. However, in case you send anyway data of this nature, the Controller will destroy them and will not take your profile into consideration for the application purpose.

Personal data indicated above are hereafter referred to as "Personal Data"

2        Purpose and legal basis of Personal Data processing

Personal Data you provide by sending the curriculum or at a later time will be processed for the following purposes:

a)     to evaluate the compatibility of profiles in relation to the open positions and in general to manage selection procedures for collaborators (including sharing profiles with the client for each project);

b)     to contact you, using contact details you have provided, in order to schedule necessary interviews.

The legal basis of the Personal Data processing for the purposes indicated above are the articles 6.1.a); 6.1.b) and 6.1.f) of GDPR, that is the legitimate interest of the Controller to verify the suitability of the candidate to hold the specific open position.

The provision of Personal Data for these purposes is optional, but in its absence, the Controller would be unable to evaluate profiles or to schedule interviews.

If your application is accepted, your Personal Data will be processed by the Controller according to the privacy information notice prepared for employees and/or collaborators.

3        Personal Data retention

Your data will be kept for a period of 18 months from the date of their provision and may be used for contacts or possible future interviews and stored in electronic archives, also in order to allow the identification and selection in aggregate form. In particular, data will be stored on the management system Allibo HR Software provided by Alliance Software S.r.l.. Data will be definitively deleted from the system upon expiration, unless express consent of the data subject to the extension of the retention period of the same duration, upon request of the Controller.

4        Recipients

Your Personal Data may be shared with:

a)     subjects that typically act as data processors pursuant to art. 28 of GDPR;

b)     persons authorized by Controller to process personal data in accordance with art. 29 of GDPR;

c)     subjects, institutions or authorities, autonomous data controllers, to whom the Controller is obliged to communicate your Personal Data in accordance with the provisions of law or authorities’ orders.

Data may be accessible to subsidiaries or associate companies for the same purposes described above and/or for administrative and accounting purposes pursuant to art. 6 and to recitals 47 and 48 of the Regulation.

The complete and updated list of processors is available at the Controller at the address indicated above.

5        Data transfer outside EU

As far as the possible transfer of Personal Data outside the European Union is concerned, the Company informs that the processing will be carried out according to one of the methods allowed by the law in force, such as the consent of the subject involved.

6        Your rights

You have the right to access your data at any time, pursuant to articles 15-22 GDPR. In particular, you can request the rectification, deletion, limitation of data processing in the cases provided for by art. 18 of the GDPR, the withdrawal of consent, to obtain the portability of your data in the cases provided for by art. 20 of the GDPR, as well as lodging a complaint to the competent supervisory authority pursuant to art. 77 of the GDPR (Guarantor for the protection of Personal Data), according to the procedures indicated on the website of the Guarantor accessible at:

You can formulate a request of opposition to the processing of your data pursuant to ex article 21 of the GDPR giving evidence of the reasons justifying the opposition: the Controller reserves its right to evaluate your request, that would not be accepted in case of legitimate reasons cogent to proceed with the processing that prevail over his interests, rights and liberties.

Requests must be sent writing to the Controller or at the DPO at the address mentioned above.


Other positions available with us:

In using this page you accept third-party cookies which facilitate its functions and the collection of data Read the complete conditions