Information Security Officer

About The Position

Requirements

• Must have 5+ years’ experience in banking information security, regulatory compliance or similar work experience in compliance or risk management.
• Must have deep knowledge of the NYSDFS information security standards and regulations.
• Strong technical background and knowledge of vendor software packages commonly used in banking applications.
• Must have extensive knowledge of privacy and data protection laws, regulations and best practices, including GLBA; GRC tools and implementation; data breach handling and cross-border data transfer requirements and industry standards/frameworks (NIST, ISO27k, COBIT 5, FFIEC).
• Strong presentation and written communication skills and the ability to analyze and make effective, business-centric recommendations to business leaders and senior management.
• Experienced developing a comprehensive security program, including risk assessment framework.
• Must have security certification CISM, CISSP, or equivalent
• Working experience in project management.
• Must have security certification CISM, CISSP, or equivalent.

Responsibilities

• Develop, implement and monitor a strategic, comprehensive enterprise information security program to ensure the integrity, confidentiality and availability of data.
• Document and maintain a risk assessment framework covering information and physical security, data governance and business continuity.
• Develop and maintain information security policies, standards and guidelines.
• Stay abreast of regulatory developments and perform all regulatory filings.
• Oversee the approval, training, and dissemination of security policies, standards and guidelines.
• Develop and oversee effective business continuity and disaster recovery policies and standards to align with enterprise business continuity management program goals. Coordinate the development of implementation plans and procedures to ensure systems are recovered in the event of a security event.
• Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action.
• Manage security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the company's reputation.
• Partner with the Enterprise Risk Management to define standards and processes and provide subject-matter expertise to oversee vendor information security risk and inform periodic audits of third-party service providers' information security and business continuity controls.
• Provide regular and consistent reporting on the current status of the information security program to enterprise risk teams, senior business leaders and the board of directors as part of the strategic enterprise risk management program.
• Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls.
• Define and facilitate the information security risk assessment process, including the reporting and oversight of treatment efforts to address findings.
• Develop and manage information security budgets, and monitor them for variances.
• Responsible and accountable for the day-to-day implementation and management of the Information Security Program.
• Promote awareness of applicable regulatory standards, upstream risks and industry best practices across the Bank.
• Lead information security awareness and training initiatives to educate workforce about information risks.
• Develop and conduct table-top exercises to test operational resilience and identify enhancements.
• Lead vendor management efforts to ensure adequate performance and security practices are in place.
• Lead an incident response team to contain, investigate, and prevent future computer security breaches.
• Review and verify in a daily, weekly and monthly basis user access to applications and systems.
• Serve on and support the efforts of the IT Steering Committee.
• Address questions from internal and external audits and examinations.
• Analyze and track reports of inappropriate use of technology and institutional/personal information, including computer security incidents, and guide the investigation and resolution of such incidents.
• Responsible for the direction, coordination, implementation, executive, control and completion of strategic projects, while remaining aligned with strategy, commitments and goals of the organization.