AVP Information Security Officer (Iso)

Description

Primary Summary:

To establish, implement, and maintain the Credit Union's information security program, including developing security policies and procedures, managing security controls, ensuring regulatory compliance and leading incident response efforts institution wide. The ISO collaborates with leadership across departments to promote a culture of security awareness and ensure that risks are properly managed throughout all project and system life cycles. The ISO is responsible for managing the vendor management program for the credit union.

Essential Functions/Position Responsibilities:

• Responsible for the design, performance, planning, budgeting, securing, monitoring, and integration of Cybersecurity initiatives throughout the credit union. Develop, implement and maintain the credit union's information security strategy, standards and policies.
• Consult with all levels of management to determine information security requirements to establish boundaries and priorities for new projects and to discuss system capacity and equipment acquisitions.
• Establish, adhere to and enforce system security policy and standards; develop, maintain and update appropriate policies and procedures. Maintain an awareness of all laws, regulations, developments and trends that may affect Information Systems, vendor management and information security.
• Conduct regular risk assessments; vulnerability assessments and scans; and penetration tests on technology infrastructure, applications and networks to identify and address potential risks. Develop risk mitigation plans to safeguard against cyber threats and vulnerabilities.
• Conducts annual and periodic information security training for staff.
• Conduct Incident Response table-top exercises to meet Incident Response Plan policy requirements.
• In coordination with the Information Technology Officer (ITO), conduct an independent 3rd party IT/Information Security Audit annually - to include External and Internal PEN testing.
• Manage the Vendor management program and maintain ongoing vendor due diligence, and the Watch List management matrix and provide monthly Vendor Management Report to the Board and Senior Management.
• Co-chair Disaster Recovery and Business Continuity planning. Periodically test the emergency restoration plan for the company and other applications as deemed appropriate.
• Develops, maintain all information security policies and procedures.
• Maintain the Business Network of Emergency Resources (BNET) Corporate Emergency Access System (CEAS) for badge holders. Maintain subscriptions and memberships with FS-ISAC, US-CERT, and FBI InfraGard.
• Provide monthly Information Security report, annual NCUA 748 Information Security Program status report to the Board and Senior Management. Responsible for tracking and reporting information security updates, vulnerabilities remediation, information and physical security incidents, CATO incidents, Red-Flag Identity Theft incidents, GLBA unauthorized disclosure incidents and Information Security threats.
• Must comply with applicable laws and regulations, including but not limited to, the Bank Secrecy Act, the Patriot Act, the Gramm-Leach-Bliley Act (GLBA), and the Office of Foreign Assets Control.

Requirements

Experience

A minimum of ten years of experience is required, including time spent in preparatory positions.

Education/Certifications/Licenses

Bachelor's degree in Information Technology, Computer Science or related field.

Relevant certifications (e.g. CISSP, CISM, CISA) strongly preferred.

CRVPM ( Certified Regulatory Vendor Program Manager) strongly preferred.

Project management experience and certifications strongly preferred.

Interpersonal Skills

This position requires a significant level of expertise, credibility, influence and trust. Proficiency in developing and delivering material presentations on complex topics can be important to fulfilling the responsibilities of the position.

Other Skills

Will be required to work outside of scheduled hours to respond to pertinent position issues.