Minimizes information security risk to the credit union and member data by leading team members, managing security best practices, projects, services, and daily operations focused on information security. Monitors security events and activities using tools and testing, to enhance and improve security and controls. Provides oversight and management to protect the information assets of the Credit Union and supports the information technology governance policies and processes, compliance, information security, change control and disaster recovery/business continuity plans. Will actively work with business partners and services providers to institutionalize a solid security and overall IT governance framework. The information security program is designed to safeguard the confidentiality, integrity, and availability of the Credit Union's information systems and information assets.
Major Duties and Responsibilities
35% - Manages the daily activities of assigned team members to maximize the quality of work and productivity, including cross-functional team members and tasks/projects. Manages the security change management governance and process; evaluates, selects and implements security tools; provides leadership and delivery of security services. Manages the information security training and awareness program activities. Creates and updates program documentation such as policies, procedures, status reports, budgets, and similar related documents as required. Provides reports/presentations to senior leadership and BOD as needed.
30% - Develop and maintain an information security risk management program designed to assess inherent risks, controls, and residual risks to credit union data. Oversees the coordination and execution of security assessments, device security health checks and security enhancements. Directs penetration tests, vulnerability scans and the vulnerability management program. Creates remediation plans to address relevant security findings. Monitors advancements in information security technologies and adapts new technology to enhance the company's security posture. Coordinate with business unit leaders to update business continuity and disaster recovery plans to address information security threats. Directs the DR/BCP plans for the credit union. Ensures compliance with NCUA Rules and Regulations Part 749, Appendix B. Validates the DR/BCP plans by facilitating mock disaster table top exercises. Responsible for the quality of cyber and information controls including compliance with NCUA Rules and Regulations 748, Appendix A, Part III B. Develop and maintain GLBA and other information security risk assessments designed to evaluate inherent risks, controls, and residual risks to confidential information and information systems and participates in internal/external audits.
25% - Oversees IT security services and tasks, including monitoring of security information, events, logs, and alerts. Acts as lead member of information security incident response team and coordinates the response during security incidents. Manages and coordinates with partners as needed during incidents, investigation and forensic activities. Reports security incidents, risks, trends and threats to senior management and propose remediation solutions.
10% - Works with IT and non-IT staff on security program initiatives and resolves security related issues, including leadership of projects and technical implementations. Provides vendor management cyber risk assessments and reviews in supporting the corporate ERM function. Interfaces with credit union management and external service providers, on behalf of the Information Security Program.
- Must comply with all company policies and procedures, applicable laws and regulations, including but not limited to, the Bank Secrecy Act, the Patriot Act, and the Office of Foreign Assets Control.
Salary - Grade 13
Knowledge and Skills
Possess knowledge and understanding of a breadth of information technologies and information security topics. Understand networking protocols, firewall functionality, host and network intrusion detection systems, and vulnerability assessments. Demonstrated ability in the development of solutions and/or mitigations related to security vulnerabilities. Experience in application security, penetration testing and user access monitoring required. Recognized Information Security Certification(s) are preferred, ISACA, ISC2, SANS and/or CISSP is a plus.
A Bachelor's degree in Information Technology from an accredited college or university plus four (4) years experience in a key information technology position in a financial institution; or an Associate's degree in Computer Science or related field, from an accredited college plus six (6) years experience in a key information technology position in a financial institution with two (2) years experience in a key Management or Supervisory position in a financial institution.
Self-motivated to carry out assignments with minimal supervision and collaborate well with others.
A working knowledge of Firewall, Intrusion Detection, Vulnerability assessment and other security best practices is imperative.
Perform primarily sedentary work with limited physical exertion and occasional lifting of up to 30 lbs. Must be capable of climbing/descending stairs in emergency situation. Must be able to operate routine office equipment including telephone, copier, facsimile, and calculator. Must be able to routinely perform work on computer for an average of 6-8 hours per day, when necessary. Must be able to work extended hours whenever required or requested by management. Must be capable of regular, reliable and timely attendance.
Must be able to routinely perform work indoors in climate-controlled shared work area with minimal noise.
Mental and/or Emotional Requirements
Must be able to perform job functions independently or with limited supervision and work effectively either on own or as part of a team. Must be able to read and carry out various written instructions and follow oral instructions. Must be able to speak clearly and deliver information in a logical and understandable sequence. Must be capable of complex mathematical calculations and spell accurately. Must be capable of dealing calmly and professionally with numerous different personalities from diverse cultures at various levels within and outside of the organization and demonstrate highest levels of customer service and discretion when dealing with the public. Must be able to perform responsibilities with composure under the stress of deadlines/requirements for extreme accuracy and quality and/or fast pace. Must be able to effectively handle multiple, simultaneous, and changing priorities. Must be capable of exercising highest level of discretion on both internal and external confidential matters.