The Chief Information Security Officer is responsible for oversight of the Information Security Department. This position is also responsible for the execution of the Bank's Information Security, Physical Security, Data Governance, and Business Continuity Programs.
- Develop, implement and monitor a strategic, comprehensive enterprise information security program to ensure the integrity, confidentiality and availability of data. Document and maintain a risk assessment framework covering information and physical security, data governance and business continuity. Develop and maintain information security policies, standards and guidelines. Oversee the approval, training, and dissemination of security policies, standards and guidelines.
- Develop and oversee effective business continuity and disaster recovery policies and standards to align with enterprise business continuity management program goals. Coordinate the development of implementation plans and procedures to ensure systems are recovered in the event of a security event.
- Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action. Manage security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the company's reputation.
- Partner with the Enterprise Risk Management to define standards and processes and provide subject-matter expertise to oversee vendor information security risk and inform periodic audits of third-party service providers' information security and business continuity controls. Provide regular and consistent reporting on the current status of the information security program to enterprise risk teams, senior business leaders and the board of directors as part of the strategic enterprise risk management program
- Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls. Define and facilitate the information security risk assessment process, including the reporting and oversight of treatment efforts to address findings. Develop and manage information security budgets, and monitor them for variances.
- Responsible for supervisory duties such as hiring, firing, coaching, training, performance evaluation, salary decisions, etc.
- Must have 10+ years' experience in banking regulatory compliance or similar work experience in compliance or risk management.
- Must have extensive knowledge of privacy and data protection laws, regulations and best practices, including GLBA; GRC tools and implementation; data breach handling and cross-border data transfer requirements and industry standards/frameworks (NIST, ISO27k, COBIT 5, FFIEC).
- Strong presentation and written communication skills and the ability to analyze and make effective, business-centric recommendations to business leaders and senior management.
- Experienced developing a comprehensive security program, including risk assessment framework.
- Must have security certification CISM, CISSP, or equivalent.
KNOWLEDGE, SKILLS, ABILITIES REQUIRED:
A seasoned, experienced leader with a full understanding of Information Security, Data Privacy, and Business Continuity providing leadership and solutions to a wide range of situations. Responsible for the Information Security Department which is responsible for the adherence to the required privacy and information security compliance program activities including data classification, privacy impact assessments, product and service risk assessments, vendor due diligence, data management and protection, and meeting compliance program operational needs. Responsible for the development, implementation and execution of the Bank's strategic information security program that ensures the integrity, confidentiality and availability of data. As part of this program, document and maintain a risk assessment framework covering both information and physical security, and leverage such risk assessment to support prioritization of enhancements required. Responsible for the strategy and delivery of business continuity planning (BCP) and related program and project management, services, and staff mentoring in BCP activities in alignment with the FFIEC Business Continuity Planning Handbook. Partner with the Enterprise Risk Management to define standards and processes and provide subject-matter expertise to oversee vendor information security risk and inform periodic audits of third-party service providers' information security and business continuity controls. Responsible for the development and management of information security budgets and the strategic direction of future security related projects. Responsible for the creation and management of security metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increate the maturity of the security program.