The Information Security Officer (ISO) leads and manages the company’s information security, incident response, disaster recovery/business continuity, IT risk management, vendor management, and IT governance areas. Person will establish and maintain a corporate-wide information security management program to ensure information assets are adequately protected. Candidate will identify, evaluate, and report on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports DFC’s risk posture. The ISO will development and implement policies, standards, procedures and controls to ensure that the organization's practices remain observant to all pertinent laws, regulations, and industry standards. Must have ability to communicate audit, exam, and assessment issues with executive management, IT and business unit leadership, regulatory agencies, and audit firms.
Information Security Officer:
• Develop, implement and monitor a strategic, comprehensive enterprise information security and IT risk management program to ensure the integrity, confidentiality, and availability of information that is owned, controlled, processed, or is otherwise the responsibility of DFC and its affiliates.
• Oversee information security and customer privacy program that includes management of risk assessments, service provider relationships, and incident response. Define and facilitate the information security and customer privacy risk assessment process, including the reporting and oversight of action plans to address findings.
• Develop, maintain, and publish up-to-date information security policies, standards, and guidelines. Oversee the approval, training, and dissemination of security policies and practices.
• Develop the long-term security strategic plan.
• Establish methods and procedures to monitor for security incidents and events.
• Develop, train, test, and refine an incident response plan for security incidents.
• Manage security incidents and events to protect confidential information, corporate IT assets, intellectual property, and the reputation of our banks.
• Ensure all security incidents are fully investigated and reported to executive management.
• Recommend improved security controls, processes, and systems to prevent unauthorized access, use of, or changes to systems or data; and to ensure the privacy and confidentiality of information.
• Submit reports to executive management and the Board of Directors relating to DFC’s (1) customer information and privacy program including the annual security program, annual security report, and related risk assessments; and (2) business continuity planning program.
• Maintain, publish, and enforce IT security standards for IT and the entire company.
• Design, coordinate, and oversee the conduct of risk assessments, vulnerability scanning, and penetration testing to protect the confidentiality, integrity, and availability of bank computer systems and networks. This includes conducting an IT Operations Risk Assessment and contributing to the enterprise risk assessment.
• Create, communicate, and implement a risk-based process for vendor risk management, including the assessment and mitigation of risks that may result from partners, vendors, and other service providers.
• Coordinate audit-related tasks such as ensuring the readiness of IT managers and their organizations for audit testing, and facilitate the timely resolution of audit and exam findings.
• Create and adhere to the information security corporate budget.
• Prepare security and risk management training material and present to all levels of personnel.
• Coordinate security awareness program.
• Manage the Security Information and Event Manager (SIEM) solution.
• Manage the Vulnerability Scanning environment.
• Assess, monitor, and provide recommendations on established security configurations of applications, systems, and network infrastructure.
• Facilitate the development, review, and refinement of IT policies, guidelines, and standards; and conduct an annual review of policies with the Board of Directors and IT Steering Committee as appropriate.
• Maintain, publish and enforce purchasing and asset management standards for the department, Dickinson Financial and affiliate banks.
• Develop, maintain, and oversee the effective disaster recovery planning, policies, and standards to align with enterprise business continuity management program goals. Oversee and coordinate the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a disaster or security event. Provide direction, support, and internal consulting in these areas.
• Regular attendance is required, working at the worksite during regular business hours and/or assigned hours.
• Member of the IT Steering Committee, Enterprise Risk Management Committee, and Business Continuity Planning Committee.
• Serve as Chairman of the Information Risk Management Committee
• Serve as IT Security Officer and Business Continuity Officer.
• Server as HIPPA Security Officer
- Minimum Qualifications:
• Bachelor of Science in a related field, with a combination of 10 years’ experience in the following areas:
• Information Technology (IT)
• IT security
• IT risk management
• IT governance
• Business continuity planning
• A minimum of one security related professional certification is required (CISM, CRISC, CISSP)
• Must possess excellent analytical, mathematical, and creative problem-solving skills
• Requires strong written and oral communications skills; communicate in terms to both technical and business associates
• Knowledge and understanding or relevant legal and regulatory guidance from the FFIEC, PCI requirements, and common IT and information security management frameworks such as ISO 27001, ITIL, COBIT, and NIST
• Experience with technology contracts and formal vendor management
• Requires strong listening and interpersonal skills
Equal Opportunity Employer minorities/females/veterans/individuals with disabilities/sexual orientation/gender identity