The Information Governance and Risk Manager is responsible for overseeing and reporting on the governance, risk, and compliance (GRC) of information security risks mitigation activities across the Bank. This position is a critical assurance role which must identify and implement current internal IT GRC practices to ensure companywide compliance with all regulatory and appropriate industry best practices.
PRIMARY DUTIES/RESPONSIBILITIES:
Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time with or without notice.
- Oversees and reports on the management and mitigation of information security risks across the Bank, reporting directly to the CEO.
- Develop, implement and maintain IT governance frameworks, policies, and procedures to ensure alignment with organizational goals and objectives as well as industry and regulatory standards such as NIST and the Gramm-Leach-Bliley Act (GLBA).
- Ensures that access control of data is assigned to the appropriate Data Owners and reviews of access control are performed by those designated data owners.
- Review and approve security exception requests that expose the Bank to organizational risks (Firewall requests, website access, etc.).
- Reviews and writes privacy and GLBA related policies and procedures and submits annual reports to the Board of Directors detailing privacy and GLBA issues.
- Monitors and addresses current and emerging risks, and in collaboration with the Bank’s Chief Technology Officer, Technology Steering Committee and Executive Management, develops and implements strategies and controls to mitigate risks.
- Conducts ongoing information security compliance monitoring activities, performs safeguarding customer information risk assessments for all areas of the Bank and works with personnel throughout the Bank on identifying acceptable levels of residual risk.
- Participates in major information technology projects of the Bank assuring that effective processes for information technology risk management, including those that relate to cybersecurity, are in place.
- Engages with management in lines of business to understand new initiatives, provides information on the inherent information security risk of these activities, and outlines ways to mitigate the risks.
- Champions security awareness and training programs, fostering a culture of IT compliance and risk awareness throughout the organization.
- Participates in industry collaborative efforts to monitor, share, and discuss emerging security threats, maintains advanced knowledge and awareness of financial industry technical status and trends.
- Participates as a member of the Incident Response Team in the event of a technology incident, assists in the establishment of procedures to address security incidents and partners with members of management to investigate and resolve potential security breaches.
- Serves on the Bank’s Technology Committee and Technology Steering Committee to assist in defining information security objectives, and provide strategic and visionary planning, risk management, resource allocation, monitoring of the information security landscape, and evaluation of the status and success of projects.
- Reports significant security events to the Board of Directors, Technology Committee, Chief Technology Officer, Executive Management, government agencies and law enforcement, as appropriate and works with the Bank Secrecy Act Officer and Bank Security Officer in the completing and filing of Suspicious Activity Reports (SARs) if warranted.
- Responsible for the enterprise-wide Business Continuity Planning (BCP) including the established and validation of policies and procedures to restore business critical services of the Bank in the event of a disaster or event. Ensures that each department or division has an up-to-date appropriate plan.
- Develops, implements, and monitors information security policies and controls to ensure data integrity, security, systems performance, and legal and regulatory compliance. Must ensure compliance with internal and external audit requirements. Must maintain advanced knowledge of cyber security issues, requirements, laws, and trends.
COMMITTEES
- Management Team
- Technology Committee
- Technology Steering Committee
- Technical Change Advisory Board