Director of Information Security (Information Security Officer)

Job description:

Essential Functions

The following is a list of essential functions, which may be subject to change at any time and without advance notice. Management may assign new duties, reassign existing duties, or eliminate a function.

• Manage the Information Technology Compliance Department, to include training and cross-training, policies and procedures, cybersecurity, third-party vendor risk management, incident response, information security, Artificial Intelligence User Acceptance Policy along with training and supporting documents, policies, risk assessments, development, work schedules, internal/external audits/exams, regulatory controls, and staffing for the department. Mentor the staff in areas that will enrich their knowledge of Banking. Assign staff one off advancement opportunities to assist with their growth potential.
• Cybersecurity Program - Serve as the head coordinator and lead manager by implementing up to date information concerning security strategies and objectives for the enterprise. Establish and maintain threat intelligence monitoring to address current and emerging risks, reporting cyber risks to the appropriate internal management staff, cyber risk logging and follow through with vendors, regulatory and cyber insurance reporting, phishing email reporting and rewards processes, develop employee, department and Board training awareness programs, implement regulatory cyber guidance, security risk assessments covering the NIST (National Institute of Standards and Technology CSF (Cybersecurity Framework) 2.0 Cyber, GLBA (Gramm-Leach-Biley Act) and Department Cyber Awareness, asset inventory of customer data and vendor data workflows, cyber-security reporting, maintain cyber forensic consultants and ongoing program enhancements as warranted. Prepare senior management and Information Technology Steering and Cyber Committee (ITSCC) policies reports and dashboards to identify the effectiveness of the cyber program. Identify and assess cybersecurity risks, including potential threats. Communicate security risks and strategies to senior management and the Board of Directors when necessary. Develop and deliver security awareness training programs for Team Members and the Board of Directors. Form cyber security networking relationships with government offices. Maintain membership with cyber advisory councils and intelligence organizations such as FS-ISAC (Financial Services Information Sharing and Analysis Center), CISA (Cybersecurity and Infrastructure Security Agency), ABA (American Bankers Association, InfraGard (an FBI national cybersecurity private sector organization, FDIC (Federal Deposit Insurance Corporation) and other government cyber agencies. Report to the ITSCC ongoing important cyber-security updates and follow regulatory guidance updates. Adhere to the regulatory notification rules.
• Third-Party Vendor Risk Management Program - Serve as the head coordinator and lead manager implementing third-party vendor risk strategy, regulatory guidance, and objectives for the Bank. Establish and maintain a new vendor, ongoing vendor, contract/agreement renewal changes and termination processes within the risk assessment program. Following regulatory guidance, develop and maintain the appropriate policy, procedures, workflows, and Board awareness processes. Perform ongoing and new vendor reviews covering SOC (System and Organization Controls) reports along with User Entity Control outlines, Business Continuity Plan, disaster recovery and testing, information and cybersecurity, insurance coverage, financial statements, information technology security vendor calls as required, and obtain and review the FFIEC (Federal Financial Institutions Examination Council) Report of Examination reports on required vendors. Maintain ongoing vendor monitoring as warranted. Report to the ITSCC ongoing important updates and implement regulatory guidance updates as required.
• Incident Response Program - Develop and administer Incident Response events, policy, procedure, playbook scenario outlines, meetings, and quarterly testing requirements.
  • Prepare documentation for the quarterly ITSCC meetings, manage setting up the agenda topics and prepare the correspondence.
  • Invoke the Incident Response Plan when warranted, alert Executive Management, coordinate communication, logging, cyber insurance notification, regulatory and vendor notifications as determined as following the Computer Security Notification Rule.
  • Incident Response Quarterly Testing - Manage, design and host quarterly incident response testing sessions. Determine corrective action items, follow through with reporting and seeking resolutions.
  • Maintain the Incident Response Playbook to address evolving events and changes.
  • Maintain Incident Response Plan documents, logs, email chains, postmortem discussions, regulatory and cyber insurance notifications as needed and report to the Information Technology Steering and Cyber Committee.
  • Follow regulatory guidance to maintain the Incident Response Program and Reporting.
  • Continually train ITC team members and maintain cyber security consultant contacts.
• Information Security Program - Develop, maintain, and enforce the Bank's Information Security Program and related policies and procedures which need to be approved annually by the ITSCC, Audit Committee, and the Board of Directors. Oversee and review Information Security Reporting (specific security application reports). Through the Information Security Program, develop and implement a comprehensive information security strategy that aligns with the Bank's business goals and risk tolerance.
• Business Continuity / Disaster Recovery Policy - Develop, maintain, and enforce the Bank's policy which needs to be approved annually by the ITSCC Finance Committee, and the Board of Directors.
• Risk Assessments: NIST CSF 2.0 Cybersecurity, Department Cybersecurity, R-SAT (Ransomware), GLBA Data Protection and Privacy and Third-Party Risk Vendor Management. Create, update, and maintain annual risk assessments that cover detecting, monitoring, and reviewing risk threat awareness.
  • Cybersecurity Risk Assessments: Perform the NIST CSF 2.0 cybersecurity risk assessment in conjunction with our vendor and involve other departments as required. Perform the Department Cybersecurity risk assessment to gather our Manager's cybersecurity awareness and security measures. Involve our IT Department and IT vendors to perform the R-SAT - ransomware toolkit.
  • GLBA (Data and Privacy) Risk Assessment: Perform the data protection risk assessment in conjunction with the vendor.
  • Manage the initial review/update of the templates, outline updates as necessary and send out to department management for updating. Review all risk assessments, prepare the cover memorandums, evaluate takeaway items, and obtain all sign offs. Present to the ITSCC and Board Compliance Committees annually.
• Artificial Intelligence - Manage the Artificial Intelligence User Acceptance Policy, training documentation and coordinating policy documentation as required by regulatory guidance. Assist the Chief Information Officer with artificial intelligence meetings, documents and other requests.
• ITC Budget - Responsible for managing the monthly and annual budget process. Process invoices.
• Core System Security Review - Manage the monthly core critical system change review. Create the core system security reports, disseminate appropriate department managers to perform reviews and return management signoffs.
• Develop and maintain proper compliance and regulatory controls within the department.
• Develop and maintain processes and procedures within the department and prepare and manage the department budget.
• Create and update the departments' policies and procedures.
• Serve on various committees within the Bank and outside user groups.

Relationships and Contacts

Internal: Directly supervises the ITC department, frequent contact with team members of various levels throughout the Bank.

External: Frequent contact with bank vendors, security agencies, regulatory agencies, and banking user groups.

Compliance

• Comply with all applicable regulations and Bank policies regarding employment and employment law.
• Participate in annual compliance and other job-related training.
• Comply with applicable bank regulations, Bank policies and procedures.
• Comply with Bank's internal privacy and ethics standards.

Education and Experience

• Bachelor's degree from a four-year college or university and 5 years of banking senior management information security officer experience or
• 10+ years' experience in senior management, with direct leadership experience in three or more of the functional areas covering cybersecurity, third-party risk vendor management and incident response.
• Prior tenured Information Security Officer leadership role experience.

Skills and Competencies

• Strong tenured experience implementing and managing financial institution compliance functions, cybersecurity, third-party vendor risk management, incident response management, information security, risk assessment creation, expertise in enterprise-wide banking knowledge and in-depth regulatory understanding
• Superior ability to read, analyze, and interpret government rules, regulations, interpretive letters, trade journals, and legal documents. Must be able to respond to common inquiries from regulatory agencies, courts, and outside consultants
• Strong management skills
• Ability to prioritize tasks and manage multiple projects at one time
• Ability to interact effectively with all levels of staff and management
• Excellent interpersonal skills
• Strong problem solving and project management skills
• Effective oral and written communication skills
• Willingness to work flexible hours if necessary
• Computer experience with Microsoft Word and Excel

Working Conditions

Traditional office environment with the ability to work remotely on a hybrid basis; the office maintains five day a week operations (Monday - Friday) with operational hours of 8:00am - 5:00pm.

Penn community Bank is an equal opportunity employer.