IT Security & Risk Manager II

About The Position

Requirements

• Must have ability to work independently and be able to manage multiple projects simultaneously.
• Excellent analytical, mathematical, and creative problem-solving skills.
• Excellent written and oral communications skills; communicate in terms to both technical and business associates.
• Possess leadership skills and be self-motivated.
• Must be able to interact with DFC personnel at all levels and across all business units in a professional manner.
• Must be able to interact with third party DFC relationships in a professional manner to build long-term relationships.
• Education – Minimum of 4 years of experience related specifically to IT Security.  A B.S. degree in a Computer-related field is also preferred.
• Certifications – Requires any of following security entry-level certifications: Security+, Network+ and/or GIAC Security Essentials.

Nice To Haves

• CCNA, MCSE, CEH, CISSP, or CISA, is preferred.
• CBCP (Certified Business Continuity Professional), CTPRP (Certified Third-party Risk Professional) or CRVPM (Certified Regulatory Vendor Program Manager) would be beneficial.
• Training - Continuing professional education will be provided to maintain a certification in good standing.
• Specialized training will be provided as needed. Training will be dependent on infrastructure and business strategies.

Responsibilities

• Perform risk assessments and impact analyses to identify vulnerable areas within the company’s security program. The risk assessment process includes identifying threats and risks, identifying technical, logical, and operational controls that are in place to mitigate the threats, and analyzing and reporting the observations found during the risk assessment process.
• Manage the vulnerability assessment software including defining asset groups, determining software parameters, and assigning scan profiles.  Will also oversee the handling of vulnerability issues including the evaluation of vulnerability exceptions.  Will keep management apprised of vulnerabilities and risks.
• Will monitor the handling of firewall/IDS/IPS/malware incidents to ensure issues are investigated and solved appropriately.  Could include investigating incidents directly. Will keep management apprised of results.
• Will develop incident procedures and oversee the investigation and reporting of security incidents including phishing, smishing, virus, dos, and privacy breaches.  Will keep management apprised of incidents.
• Will be responsible for executing the Company’s incident response plan.
• Will identify information security monitoring standards and define the correlating rules required from Security Information and Event Management (SIEM) solution.  Responsibility could also include the writing and managing of the SIEM solution.
• Coordinate all security reviews and tests including, but not limited to, firewall rule review, social engineering tests, penetration tests, and vulnerability assessments.
• Coordinate the Company’s disaster recovery and business continuity program.
• This includes maintaining the plans, coordinating the BIA, facilitating recovery testing, assessing vendor’s resiliency, and preparing corporate awareness.
• Manage the enterprise vendor management program.  This includes coordinating the vendor due diligence, the vendor oversight, perform vendor security reviews, and managing vendor contracts.
• Will assist in defining security controls and security baselines for systems being implemented.
• Inform and train staff members, both inside and outside the IT department, on their responsibilities concerning IT security as it relates to Company systems.
• Assess need for security reconfigurations (minor or significant) and either execute them or coordinate the execution of them.
• Assist in internal audit or external audits as necessary. This may include responding to audit requests, preparing audit documentation, or acting as liaison between IT and the audit entity.
• Participate in the IT budget and expense management process. This may include the preparing of cost analyses for IT purchases, investigating IT expenses, identifying possible cost saving opportunities, and assist in all or part of the IT budgeting process.
• Develop security procedures as necessary.
• Remain informed on trends and issues in the security industry, including current and emerging technologies.  Keep team managers apprised of findings.
• Be highly knowledgeable of the Organization’s overall security policies, and recommend changes and enhancement
• Keep current with emerging security standards, alerts and issues. (FFIEC Security Handbook, ISO, etc)
• Protect all client and bank information confidentially and follow all company policies.
• Understand, communicate, and instill the Company’s mission, vision, and values (Pillars of Success).
• Complete monthly training in a timely manner to ensure knowledge of bank regulatory requirements, policies, and procedures.
• Working at the worksite during regular business hours and/or assigned hours.
• Other specified duties as assigned.

Benefits

• Medical
• Dental
• Vision
• 401(k) plan
• Company paid life insurance
• Short and Long-term disability insurance
• Company paid vacation, paid leave and holidays