Information Security Officer

Position Summary:

The Information Security Officer will establish and maintain an Information Security framework that addresses policy, process, operations, people, and technology to protect financial institution infrastructure, corporate data, and customer assets, and ensure alignment with applicable regulations and laws. The individual will be a member of the Information Technology Leadership team providing independent oversight over the Information Security posture of the financial institution. Through control evaluations, risk assessments and assurance audits the position will provide the financial institution with the ability to self-identify risk while driving information security strategic goals.

Essential Functions:

Strategy

• Develop a strategic plan for information security identifying security objectives, while ensuring that the company is in regulatory compliance with relevant industry standards.
• Coordinate and maintain a corporate Information Security Program that provides assurance to management of the confidentiality, integrity and availability of data.
• Provide subject matter expertise to the development of cyber operations - Researches, evaluates and recommends new security tools, techniques, and technologies and introduces them to the enterprise in alignment with IT security strategy.
• Develops IS security architecture/designs, plans, controls, processes, standards, policies, and procedures to ensure alignment with IS standards and overall IS security strategy.
  

Operations

• Responsible for completion of the annual internal Information Security Risk Assessment, utilizing industry standards to assess and measure threats and vulnerabilities that may affect the financial institution while providing guidance on mitigation strategies.
• Assesses the overall adequacy and effectiveness of information security tools used to monitor and protect financial institution data. Responsible for testing the Information Security controls to provide assurance to management and external auditors that controls are in place and functioning as intended to protect financial institution data. Serve as a technical escalation resource for Tier I/II SOC Analysts.
• Involved in a wide range security operations functions such as incident response, tuning of SIEM tools, digital forensics, privacy incident investigations, assisting with fraud investigations and technical contributions to risk assessments and data loss prevention monitoring techniques.
• Establishes and maintains an IT Risk and exception management process and source of record to ensure ongoing management and prioritization of operational, financial, reputational, and regulatory risk. Develop and maintain IT Audit and Control documentation.
• Responsible for the Incident Response Program development, testing and overall corporate strategy. Assist with the development of processes and procedures to improve incident response times, analysis of incidents, and overall SOC functions.
• Coordinate annual Business Continuity and Disaster Recovery activities, procedures and documentation.
• 3rd Party Security Assurance and Risk Assessment - Responsible for performing vendor due diligence for third parties that handle financial institution data to provide assurance that information is secure and in compliance with financial institution data standards. Negotiate the inclusion of security requirements into third party contract agreements. Evaluates and assesses the security of external vendors.
• Provides Information Security awareness training across the organization creating a calculated approach to possible data breaches and security incidents by anticipating new threats and providing awareness to actively prevent incidents from occurring.
• Provides key performance data related to information security/threat levels/actions to the COO for reporting to the Board of Directors.
• Works directly with auditors, examiners and third parties in regards to information security data requests and inquiries.
• Accountable for the understanding of and adherence to operational controls, policies, procedures and processes to ensure compliance with bank policies and related laws and regulations.

Position Requirements (Knowledge/Skills/Abilities):

• Knowledge and understanding of secure solutions within the financial services industry.
• Knowledge of security hardware and software products that comply with current industry standards.
• Knowledge of encryption, firewalls, intrusion detection systems, web filtering, internal and external network security
• Knowledge and experience performing IT and security risk assessments, using both qualitative and quantitative methods to identify, quantify, and communicate risk.
• Extensive knowledge and experience in Incident Response, Incident Handling and Security Operations.
• Knowledge and experience in digital forensics preferred to include processes and procedures for collecting and preserving digital evidence, data acquisition, and forensic analysis of data.
• Knowledge and experience in assessing hosted service architectures (SaaS, PaaS, IaaS.)
• Knowledge and experience performing third party assessments across information security and control domains, using industry tools/frameworks such as the Cloud Security Alliance, evaluation of Service Organization Controls (SOC) attestations. Manage supplemental evaluation Service Providers.
• Knowledge and experience with Data Classification, Data Security, and Data Loss Prevention methods and tools, specifically Microsoft Azure Information Protection.
• Knowledge and experience conducting and documenting business impact analysis, designing and implementing Business Continuity/Disaster Recovery plans.
• Knowledge and experience with IT assurance mandates/frameworks such as Sarbanes-Oxley, CobIT.
• Skill in testing, auditing, risk analysis, business resumption planning, contingency planning, as well as contract and vendor negotiation experience.
• Ability to identify risks, recommend appropriate controls and the resulting impact of mitigation strategies.
• Skill in partnering with customers to identify and resolve complex or sensitive issues.
• Ability to communicate technically difficult analysis into laymen’s terms for non-technical staff.
• Ability to develop, maintain, and strengthen partnerships with others inside or outside the organization who can provide information, assistance, and support

Education/Experience:

• Bachelors Degree in Information Security/Information Systems or related field.
• Advanced degree in Information Security/Information Systems.
• Minimum of five (5) years working in Information Security in a corporate environment.
• Certification in one or more of the following: CISA, CISSP, CISM (preferred)
• Experience with Saas or cloud based security (preferred).
• Experience working with a Financial Institution (preferred).
  

Physical Requirements

The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

While performing the duties of this job, the employee is frequently required to sit, use hands to finger, handle, or feel and talk or hear and occasionally required to stand, walk, reach with hands and arms and stoop, kneel, crouch, or crawl. Specific vision requirements for the job include close vision (at 20 inches or less) and the ability to recognize colors.

Working Conditions

The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

The work environment is typically indoors and in an office setting. The noise level within the work environment is typically moderate.

The specific statements shown in each section of this position description are not intended to be all-inclusive. They represent typical elements and criteria necessary to successfully perform the job.