Information Security Officer

Merchants Bank•Hastings, MN

1d•Onsite

About The Position

Merchants Bank has an opening for a Information Security Officer. This on-site position can work from any of our Merchants Bank branch locations in Minnesota or Wisconsin. The Information Security Officer (ISO) is responsible for leading and maintaining the Bank’s information security program. This role oversees cybersecurity, regulatory compliance, risk evaluation, and reporting while supporting business objectives. The ISO serves as the Board‑approved leader and works with the Chief Risk Officer and Executive Leadership to align security controls with acceptable risk levels. General Summary: This role will be responsible for implementing and managing the information security program for the Bank. The Information Security Officer is responsible for identifying, evaluating, and mitigating information security risk, and reporting on legal and regulatory, and IT Security (including cybersecurity), while supporting and advancing business objectives for the Company in alignment with growth and financial performance expectations. Must possess a sound knowledge of business management and a working knowledge of cybersecurity and systems covering the Company network and branch footprint as well as the broader digital ecosystem. This position is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure, processes are protected in the environment in which we operate. This role will be the board-designated/approved Information Security Officer for the Company. A key element of the role is working with the Chief Risk Officer, the Chief Information Officer and the Executive Leadership Team to determine acceptable levels of risk for the organization. Will proactively work with business units and managers to implement practices that meet agreed-on policies and standards for security. The Information Security Officer should understand and articulate the impact of all security systems on the business and be able to communicate this to the Board of Directors and other senior stakeholders. The Information Security Officer must be knowledgeable about both internal and external business environments and ensure that systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory, and contractual obligations. Serves as the process owner of the appropriate second-line assurance activities not only related to confidentiality, integrity, and availability, but also to the safety, privacy and recovery of information owned or processed by the business in compliance with regulatory requirements. This position understands that securing physical and information assets, associated technology, applications, systems and processes in the wider ecosystem in which the organization operates is as important as protecting information within the organization's perimeter. Ultimately, is a business leader expected to maintain objectivity and a strong understanding that security and risk management are foundational but must be managed with balanced perspective about the ability of the business to deliver on its growth and performance goals and objectives.

Requirements

5 years of experience in information security management including specific experience in the following areas: audit and exam response, incident response, reporting and information security program development.
Additionally, 5 years of general IT experience or 3 years of general IT experience and at least a 2-year degree in information security and 2 years of supervisory experience.
Excellent written and verbal communication abilities.
Ability to create and use new and existing Spreadsheets, Word documents, PowerPoint, and other tools to provide reporting information to organization leadership.
Highly organized self-starter, curious, and willing to investigate and learn.

Nice To Haves

Preferred certification from an accredited association within the Information Security realm

Responsibilities

Provide regular reporting on the current status of all security programs to enterprise risk teams, senior business leaders and the Board of Directors as part of a strategic enterprise risk management program, thus supporting business outcomes.
Develops, socializes and coordinates approval and implementation of security-related policies
Direct the creation of information security awareness training program for all employees, and approved system users, and establish and monitor metrics to measure the effectiveness of this security training program for the different audiences.
Ensure the consistent application of security policies and standards across all technology projects, systems, and services, including privacy, risk management, compliance, and business continuity management.
Provide clear security risk mitigating directives for projects in conjunction with Enterprise Risk Management framework, including the mandatory application of security controls.
Maintain and manage the organization’s Information Security Program and procedures
Review the Vulnerability Management Program and recommend improvements as well as ensuring segregation of duty and adequate and timely closure of audit findings.
Maintain and manage the organization’s Identity and Access Management (IAM) Program and procedures.
Maintain and manage the organization’s Vendor Management Program and procedures.
Maintain and manage the organization’s Business Impact Analysis and Business Continuity Program (BCP) and procedures.
Maintain and manage the organization’s Disaster Recovery Program and procedures to align with the BCP program.
Ensure the organization’s technical asset management and system configuration standards are in alignment with information security protocols.
Work with business line leaders and business-related projects to ensure systems and the related processes and procedures meet the organization’s security policies.
Responsible for researching and maintaining appropriate risk management practices regarding information security and assist management in the organization’s overall risk management process to follow regulatory requirements.
Participate on behalf of the organization in general information security related and industry specific security information sharing programs.
Serve as collaborative liaison with Chief Risk Officer, Chief Information Officer & the IT organization on matters related to the budget for the information security function.
Manages the cost-efficient information security organization, consisting of direct reports, as defined within the Company’s organizational design structure for Risk Management. This includes hiring, training, staff development, performance management and timely annual performance reviews for any assigned direct reports.
Provide oversight of staff assisting with providing vendor and access management.
Works effectively with Chief Risk Officer and all business units to facilitate security risk assessment(s) and risk management processes; sets expectations with business unit leaders, to own and accept the level of risk that have been deemed appropriate by the Enterprise Risk Management Committee for their specific risk appetite. Oversee management of information security related vendors per the organization’s vendor management program.
The employee will be expected to take responsibility to ensure that internal and external customers receive outstanding service.
The employee may be asked to perform other duties as required by business needs.
The employee will be expected to complete compliance and product knowledge assignments in a timely manner.