Information Security Manager

Position Purpose

The Information Security Manager is responsible for implementing and overseeing the credit union's enterprise-wide information security / cyber security program ("Information Security Program") and will act as the designated Information Security Officer of the credit union.

The position will serve as a process owner and strategic leader of the Information Security Program, ensuring that the program aligns with the vision, mission and business plans.

This role is accountable to complete all assigned compliance and information security training and comply with the credit union's policies and procedures related to the Bank Secrecy Act and Office of Foreign Assets Control (OFAC).

Duties & Responsibilities

Assumes responsibility for the execution of the Information Security Program:

• Create and complete comprehensive risk assessments and cybersecurity assessment tools in line with industry best practices.
• Perform firewall configuration and/or modifications, as needed.
• Monitor network resources, including but not limited to firewall, virus, and spyware protection, analyze and investigate security events and respond to incidents.
• Perform network device hardening in alignment with industry best practices.
• Validate server and endpoint hardening activities and provide direction according to industry best practices.
• Perform network analysis, as needed.
• Work with internal and external auditors and engage productively with regulatory examiners to provide program documentation and resolve and remediate findings.
• Create and maintain policies and procedures in support of the Information Security Program.
• Manage the enterprise system logging program, develop controls for system monitoring and alerting, interpret the log activities, develop plans for remediation efforts and report results to management.
• Lead the credit union's incident response efforts, including testing, plan creation, communication with management and the Board of Directors (when needed), utilization of external and internal resources, notification of impacted members and regulatory authorities, documentation of all efforts and conducting lessons learned to ensure improvements are made to the program.
• Implementing a comprehensive training and awareness program for all employees and volunteers, tracking compliance and understanding and reporting on key training metrics.
• Prepare and present quarterly and annual information security reports as directed by management and the Board of Directors.
• Actively engage, participate and support the Enterprise Risk Management Program, including ensuring consistency in reporting, risk assessments and communications.
• Prepare a detailed budget for all expenses associated with the Information Security Program.
• Review the information security and business resiliency documentation for vendors that are deemed high risk and those that have access to, store or transmit non-public personal information of members and employees.
• Review contracts with third-party vendors for agreeable terms associated with cyber security and offer input and guidance to key stakeholders during the contract review process.
• Assist with the due diligence reviews of new vendors and the setup and implementation of new and existing systems and software.
• Assist with the development and maintenance of the credit union's Business Continuity Plan and business impact analysis.
• Develop strong working relationship with management and Team Members to develop and implement controls and configurations aligned with information and cybersecurity policies and legal, regulatory and audit requirements.
• Serve as the Information Security Officer and Privacy Officer of the credit union.
• Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and follow policies and audit requirements.
• Assess current and emerging threats, cyberattacks and vulnerabilities and effectively communicate recommended actions and strategies to management.
• Maintain thorough knowledge of and ensure compliance with applicable federal and state laws, rules, regulations, REV policies and procedures, and service level agreements.
• Manage the credit union's data classification system.
• Define and report on key metrics to demonstrate the strength, progress and success of the Information Security Program.

Assumes responsibility for the role of the information security risk management function in various credit union efforts:

• Collaborate effectively with other credit union leaders to support credit union projects.
• Research and implement new processes and technology to improve operational efficiency.
• Provide training as needed for the effective implementation of information security best practices.

Assumes responsibility for complying with applicable regulations:

• Responsible for supporting compliance of all applicable laws and regulations that the credit union is subject to.
• Assumes responsibilities for related duties as required or assigned.

Skills & Qualifications

Education/Certification & Experience:

• A minimum of eight (8) years' experience in an information technology security role, with experience in financial services preferred.
• Information security industry certification (CISSP, SSCP, GIAC, GSEC, Security+, CITSM, CISA, etc.) strongly preferred.
• Clear understanding of the OSI model.
• Demonstrated experience developing thorough risk assessments and completing cybersecurity assessment tools.
• Strong familiarity and experience with industry-recognized information security management frameworks, such as NIST, ISO 2700x, ITIL and COBIT, and current security tools and applications.
• Intermediate experience with scripting and/or programing and the ability to read and review software code.
• Experience working with legal, audit and compliance staff.
• Proven experience in reading and interpreting compliance rules, regulations and regulatory guidance, including the GBLA, FFIEC and PCI.

Skills/Abilities:

• Proven ability to create, comprehend, analyze, and interpret complex rules, regulations and regulatory guidance.
• Proven ability to write reports, assessments, procedures, and policies.
• Proven ability to conduct financial and business analyses.
• Proven ability to solve advance problems and deal with a variety of options in complex situations.
• Proven strong analytical and quantitative skills.
• Proven strong Microsoft Office Suite product skills and project management software skills.
• Proven ability to collaborate with a variety of leaders.
• Proven ability to negotiate effectively with key employees, senior management, and vendors.

Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities:

The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor's legal duty to furnish information. 41 CFR 60-1.35(c)