VP, Information Security Officer

Position Description

Title:                           VP, Information Security Officer

Department:              Risk Management

Reports to:                 FVP, Chief Risk Officer

Supervises:                 None

Classification:            Exempt

Date Prepared:          February 2025

Summary / Objective

Reporting to the FVP, Chief Risk Officer, the VP, Information Security Officer has the overall responsibility for leadership and management of Information Security, Privacy, and Disaster Recovery/Business Continuity Programs. This position is responsible for all aspects of Gramm-Leach-Bliley Act. It’s expected that this individual will continually stay relevant with emerging cybersecurity trends and practices. It’s vital to utilize various threat intelligence sources and stand ready to activate our incident response plan. Additionally, it is expected that this position will act as a resource and assist with projects that affect the bank.

Experience & Education Requirements:

• Bachelor’s degree in Computer Science, Information Security, Information Technology, or another relevant field.
• 5-7 years of Information Security, Information Technology, and/or Fraud Investigations.
• Certification in Information Security (Security+, CISSP, CISM, CISA) is Desirable.
• Extensive proven background in compliance and information security in a regulated industry (financial, health care, government, etc.).

Specific Job Functions:

• In the performance of respective tasks and duties, the employee is expected to successfully perform quality work within deadlines with or without supervision, interact professionally with other employees, customers and vendors; work effectively as a team contributor on all assignments and work independently while understanding the necessity for communicating and coordinating work efforts with other employees and organizations

Information Security

• Define strategy, direct and lead the continuous improvement of the Bank’s information security, asset protection, data governance, compliance programs and data management in a fully functional, compliant, and secure mode.
• Develop and deliver board-level reporting on ways to measure cyber security preparedness.
• Prioritize and execute investments that mitigate overall cybersecurity risks, enhance defenses, and mitigate security exposures, direct implementation of new cyber security solution.
• Establish and maintain policies, procedures, standards, and guidelines that enable the Bank’s information security strategy based on established cyber security frameworks (NIST, FFIEC, etc.).
• Review regularly scheduled information risk and security functions on various systems and applications in accordance with established standards and procedures. These systems include, but are not limited to, patch management, firewall, user access reports, user roles, and antivirus.
• Act as incident manager for cyber security incidents and be the point of escalation.
• Investigate insider threats and cyber security events, perform digital forensics, and document incidents.
• Provide strategic risk guidance for IT projects, including evaluation and recommendation of technical controls and disaster recovery procedures.
• Design, perform, and/or oversee penetration testing, vulnerability assessments, and social engineering testing.
• Perform risk assessments to identify gaps in compliance to information security (application and infrastructure) and compliance (including the GLBA) for both internal technology solutions as well as solutions provided by third-party service providers.
• Offer guidance on special technology-based projects.
• Maintain a thorough understanding of global, regional, and local regulatory requirements that have technology impact.
• In conjunction with the training department, conduct training, employee on-boarding and awareness campaigns, along with tests/simulations to measure their effectiveness on all aspects of Information Security.

Disaster Recovery and Business Continuity

• Develop and maintain the Bank’s Disaster Recovery / Business Continuity Plan and Incident Response Plan.
• Develop disaster recovery plans for physical locations with critical assets such as data centers.
• Maintain and review each business unit’s Business Impact Analysis to ensure business units are properly prepared in case of disaster.
• Monitor on-going testing of individual recovery plans within each business unit.
• Lead, coordinate, and document regularly scheduled Disaster Recovery / Business Continuity testing.
• Assist in leading the Bank’s crisis team in the event the BCP is activated.

Privacy

• Establish and maintain policies, procedures, standards, and guidelines for the Bank’s Privacy Program.
• Responsible for updating Privacy Policy and notices, as necessary.
• Respond to data subject requests, as applicable.
• Conduct privacy impact assessments for new products or initiatives to evaluate and mitigate risks related to processing, transmission, and storage of Non-Public Customer Information.
• Remain current on the evolving privacy legal and regulatory landscape and assess the potential impact on the Bank’s operations as well as on its products and services offered to consumers; collaborate to ensure projects and tasks are initiated to reflect the changing landscape.

General

• Assist internal, external, and regulatory auditors with the collection of requested materials as assigned with their respective engagements.
• Provide regular reporting to bank management for the Information Security Program and all GLBA compliance.
• Ensure that area of direct responsibilities operate within guidelines set for State and Federal laws.
• Participate in user groups for third-party services providers, industry trade groups and educational programs to remain abreast of current issues, and requirements that impact the Bank.
• Coordinate materials and responses for examinations, internal or external and ad hoc regulatory inquiries related to all areas of responsibility.
• In the performance of respective tasks and duties, the employee is expected to maintain knowledge of and ensure compliance with Bank Secrecy Act regulations and adheres to compliance procedures and internal/operational risk controls in accordance with any and all applicable regulatory standards, requirements and policies as well as attending all required training sessions and completing all required on-line training courses.

Other duties as assigned, performing similar or related work as directed, required, or as situation dictates.
 

Required knowledge, skills & abilities:

• Strong risk management skills and mindset
• Extensive knowledge of cyber security concepts, principles, methods, and products
• General knowledge of financial and banking technology including core banking software, loan origination platforms, online and mobile banking platforms, general ledger software, ATM technology, etc.
• Proficiency in interpreting and analyzing impact of federal and state regulations, with particular proficiency in banking regulations required.
• Experience performing compliance reviews/audits for a financial institution.
• Experience in developing and delivering Information/Cyber Security or other technical training.
• Proficient in Microsoft Office Suite products
• Compliance with BSA regulations as appropriate to the position

Physical Demands and Work Environment:

• Ability to use standard equipment such as computers, phones, photocopiers
• Sitting for longer periods of time
• Must be able to work schedules that meet the needs of the Bank, which may include early morning, evening and /or weekend hours

Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

Other Duties

This job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. It is expected that from time-to-time other duties, both related and unrelated to the above, may be assigned and therefore, required.