• Develop and implement security policies and procedures including user log-on and authentication rules, security breach escalation procedures, security auditing procedures, and firewall, IDS, file transfer, and encryption policies.
• Identify security risks in network infrastructure, systems, and facilities and develop course of action to remediate security risks.
• Lead initiatives to enhance the bank’s cybersecurity posture, including threat intelligence, advanced analytics, and automated response mechanisms.
• Ensure tools and technologies are in place and being used effectively to reduce the risk of attacks against the network and systems, i.e., champion the threat intelligence program.
• Maintain knowledge of changing technologies and provide recommendations on emerging technologies such as artificial intelligence, block chain, tokenization, etc., and related security best practices.
• Enforce security policies and procedures by administering and monitoring security profiles, reviewing security violation reports, investigating security exceptions, updating and maintaining security control documentation.
• Foster a culture of innovation within the security team and encourage the exploration and adoption of new tools and methodologies.
• Maintain reliable, up-to-date, information from government agencies and security experts, e.g., FS-ISAC, US-CERT, and professional publications regarding the identification of emerging security threats and vulnerabilities.
• Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action.
• Identify potential areas where existing security policies and procedures require change, or where new policies need to be developed.
• Ensure measures and systems are in place to prevent data loss; implement necessary security measures and systems to protect against data loss, e.g., firewalls, intrusion detection systems, antivirus software, threat intelligence systems, and data loss protection systems.
• Understand and interact with related disciplines through different committees to ensure the consistent application of information security policies and standards across all technology projects, systems, and services.
• Review user access certifications to verify application entitlements are appropriate for each user’s role and responsibilities.
• Maintain and enhance a strategic, comprehensive enterprise information security policy and IT risk management program.
• Provide management and Board of Directors information on IT risk assessments, security policies, security reports, security briefings, etc. related to Bank security.
• Evaluate and recommend security products, services, and procedures to enhance the overall information security program.
• Maintain all Bank policies and procedures associated with the information security program.
• Perform due diligence on third-party service providers and mission-critical systems to verify the adequacy and effectiveness of information security controls and incident response/disaster recovery plans.
• Review IT vendor SOC, SSAE, and ISO reports on an annual basis to ensure adequate security measures are in place to safeguard customer data.
• Act as a liaison with the Bank's managed security service provider.
• Receive security alerts and coordinate appropriate responses.
• Research security alerts including identifying source IP address, destination IP address, level of risk, devices affected, etc.
• Respond to security alerts with appropriate communications and measures.
• Request security updates to firewall and IDS.
• Maintain information on upcoming changes and enhancements to the managed security services.
• Act as a member of the Information Technology Committee and the Business Continuity and Incident Response teams.
• Provide guidance on audits, assessments, table-top exercises, and penetration test responses to ensure compliance and identify areas for improvement.
• Develop and provide training information to business stakeholders to increase awareness of cybersecurity risk.
• Report any suspicious security-related activity to a supervisor or the Bank Security Act officer.
• Liaise with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture.
• Build and maintain relationships with external security partners, vendors, and consultants to enhance the bank's security capabilities.
• Performs other duties as assigned.

Required Qualifications:

• Minimum of 10 years of combined information security, risk management, and IT work experience with a broad range of exposure to systems analysis, application development, infrastructure/network and multi-platform environments.
• Five or more years of experience with information security preferably with a financial institution.
• Professional security management certification, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or other similar credentials, is required.
• Knowledge of common information security management frameworks, such as ISO/IEC 27001, and NIST.
• Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet enterprise objectives.

Preferred Qualifications:

NA

NA