Information Security Manager

About The Position

Requirements

• 3+ years of information security experience with a strong emphasis on hands-on program execution — risk assessments, policy writing, audit preparation, and control documentation
• Deep, working knowledge of the FFIEC IT Examination Handbook requirements, including the new tools available to replace the retired Cybersecurity Assessment Tool (CAT)
• Direct experience completing SOC 2 readiness assessments and producing formal gap analysis and remediation documentation
• Demonstrated ability to author professional-grade security deliverables - policies, risk assessments, remediation plans, board summaries - independently and to a high standard
• Strong written communication skills; comfortable producing polished, client-facing documents without editorial support
• Proven ability to manage multiple client engagements simultaneously with discipline, reliability, and follow-through
• Active CISSP, CISM, CRISC, or equivalent certification
• Direct experience preparing financial institutions for FDIC, OCC, or NCUA IT examinations and responding to regulatory findings
• Familiarity with GRC platforms commonly used in financial services (e.g., Ncontracts, LogicManager, or similar)
• Working knowledge of HIPAA security rule requirements for healthcare clients and general compliance frameworks applicable to professional services environments
• Experience with Microsoft 365 security controls as deployed in community bank and small-to-mid-market business environments
• Background in an MSP, consulting firm, or multi-client security advisory practice

Responsibilities

• Serve as the primary point of contact for clients preparing for FDIC, OCC, NCUA, and state banking regulator IT examinations, owning the preparation process from start to finish
• Organize and package audit requested items, complete pre-exam readiness checklists, and produce written summaries of control effectiveness that clients can hand directly to examiners
• Review third-party audit findings and examination results, then draft formal written responses, corrective action plans, and remediation timelines on the client's behalf
• Track open findings and recommendations to closure, producing status updates and evidence packages at each milestone
• Maintain current knowledge of FFIEC IT Examination Handbook updates and translate regulatory changes into specific, actionable steps for each client
• Document client check-ins using Microsoft Planner or a similar task management tool, ensuring all action items, deliverables, and blockers are clearly captured, assigned, and tracked through resolution.
• Lead clients through SOC 2 Type I and Type II readiness assessments including scoping, gap analysis, control testing, and evidence collection
• Produce formal gap analysis reports with prioritized remediation roadmaps in finished, client-ready form
• Build and maintain client control evidence libraries and audit packages, keeping documentation current between audit cycles
• Coordinate with external auditors on the client's behalf and serve as the primary point of contact throughout the audit process
• Design, facilitate, and debrief tabletop exercises for community bank clients covering security incident response, business continuity, and disaster recovery scenarios
• Develop realistic, client-specific exercise scenarios based on current threat intelligence and regulatory expectations for financial institutions
• Produce written after-action reports documenting exercise findings, gaps identified, and recommended improvements, delivered to the client within an agreed turnaround
• Update client incident response, business continuity, and disaster recovery plans based on exercise outcomes
• Review third-party vendor audit reports (SOC 2, penetration tests, security assessments) on behalf of clients and produce written summaries of findings and risk exposure
• Draft formal vendor risk assessment responses and management memos that clients can file, present to examiners, or include in board reporting
• Maintain client vendor inventories and assessment schedules, tracking due dates and ensuring assessments are completed on time
• Draft, update, and maintain client information security policies, standards, and procedures written in plain language, tailored to each client's environment, and ready to adopt without further editing
• Conduct periodic policy reviews against current FFIEC guidance, NIST CSF, and SOC 2 requirements and produce updated versions that reflect any gaps or regulatory changes
• Manage client policy libraries to ensure all documents are versioned, reviewed on schedule, and accessible for audit purposes
• Meet regularly with client stakeholders to review program status, prioritize the work queue, and present completed deliverables
• Manage a multi-client portfolio with disciplined task tracking, clear timelines, and consistent follow-through on every commitment made in a client meeting
• Serve as an advisory resource during client security incidents, providing written guidance on containment, notification obligations, and regulatory reporting requirements

Benefits

• 100% employer paid health insurance (medical and dental)
• First $1,000 of qualified medical expenses covered
• Company Matching 401k
• Family vacation bonus at 5th year