Information Security Governance Lead

About The Position

Requirements

• Bachelor’s degree or a combination of education and experience.
• 3 years of experience working at a financial institution.
• 3 years of experience in risk management, compliance, information security or a related field.
• 3 years of experience working in or closely with the Information Technology.
• Experience with regulatory compliance frameworks such as CIS, FFIEC, NIST, ACET, InTREx, GLBA, PCI-DSS, etc.
• Experience conducting risk assessments and implementing risk mitigation strategies.
• Familiarity with reviewing vendor due diligence including contract terms, penetration tests, and SOC reports.
• Strong understanding of information security.
• Proficiency in using risk assessment tools and methodologies.
• Ability to document and communicate risk and control maturity in clear terms for leadership reporting.
• Strong facilitation skills to plan and run exercises and drive follow-through on improvement actions.
• Strong written documentation discipline (standards, evidence organization, and repeatable processes).
• Familiarity with compliance management software or Governance, Risk, Compliance (GRC) tools.
• Excellent analytical and problem-solving skills.
• Strong communication and interpersonal skills.
• Ability to work independently and collaboratively in a team environment.
• Attention to detail and proactive approach to identifying and addressing risk.
• Possess a working knowledge of all relevant Banking Rules and Regulations.

Nice To Haves

• Certifications such as CRISC, CISSP, CISM, CySA+, CASP+, CRVPM, or CRBCMA preferred but not required.

Responsibilities

• Assess risks associated with information technology including systems, applications, data and infrastructure.
• Conduct periodic information security control assurance assessments by evaluating the design and effectiveness of safeguards against internal requirements and well-known frameworks (e.g., NIST, CIS), documenting results, gaps, and prioritized recommendations.
• Lead the organization’s Vendor Management program for new and existing third-party relationships, including due diligence reviews of contract terms, penetration tests, and SOC or IT Audit reports.
• Regularly review and recommend adjustments to information security training programs to ensure training is addressing the highest risks to the credit union and meeting all compliance requirements and best practices.
• Develop and maintain a comprehensive IT risk register, documenting identified risks and their potential impacts.
• Collaborate with IT and physical security to design and implement risk mitigation strategies.
• Monitor and track the effectiveness of risk mitigation efforts, recommending adjustments as necessary.
• Recommend adjustments to policies, procedures, and controls to better manage IT compliance risks.
• Maintain awareness of relevant regulations and guidance (e.g., FFIEC, GLBA, PCI-DSS) and translate requirements into practical control expectations and assessment criteria.
• Track response to information security alerts to ensure timely resolution based on risk severity.
• Report on aging of vulnerabilities and penetration test findings and track remediation efforts.
• Compile and present security posture metrics appropriate for dissemination to senior leaders and the board.
• Perform and manage user access reviews for key systems, documenting exceptions and remediation efforts.
• Prepare executive-level IT risk reports for senior management and stakeholders.
• Maintain up-to-date knowledge of regulatory changes and industry best practices related to IT compliance.
• Support business continuity and incident response governance by coordinating updates with plan owners, ensuring roles, escalation paths, business impact analysis, playbooks, and other documentation remain current.
• Provide guidance and support to IT and business teams on compliance related issues.
• Plan, facilitate, and document periodic business continuity and incident response tests/exercises, capturing outcomes and improvement actions and tracking follow-through to completion.
• Prepare and assist with collecting evidence for regulatory exams and audits.
• Assist in the investigation of IT compliance incidents and breaches and prepare reports on findings.
• Coordinate with internal and external stakeholders during compliance investigations and audits.
• Administer the information security risk acceptance process.
• Promote a culture of compliance.
• Additional duties as assigned.

Benefits

• Medical, dental and vision insurances
• Supplemental insurances
• Pre-tax and Roth 401(k) Safe Harbor options
• Flexible spending accounts
• Health Savings Account (HSA)
• Paid time off (PTO)
• Paid holidays, including birthday
• Bereavement and pet leave
• Basic Life/AD&D, short-term and long-term disability coverage at no cost
• Voluntary Life/AD&D
• Employee Assistance Program