This is a
senior-level position for the Information Security Department and establishes and
maintains the enterprise vision, strategy, and program to ensure information
assets and technologies are adequately protected.
Information Security Officer (“ISO”) is responsible for overseeing and
reporting on the management and mitigation of information security risks across
the institution. He/she is responsible for implementing an information security
program satisfying the Interagency Guidelines Establishing Information Security
Standards (Information Security Standards), which were issued pursuant to the
Gramm-Leach-Bliley Act (GLBA). The ISO is an enterprise-wide risk manager and a
not a production resource devoted to IT operations, networking, or programming
functions. The ISO reports to the Vice President of Audit and ERM; however,
provides periodic reporting to the bank’s IT Steering Committee and works
closely with the Chief Information Officer.
The ISO is
accountable to plan, implement, coordinate, and maintain the bank’s overall
information security and cybersecurity programs. The ISO is the “champion” of
information security for FGB and works closely with management. He/she weighs
business needs against security concerns, finds the right solution to support
the business, and articulates any issues to management.
Essential Duties and Responsibilities
Strategy, and Oversight
Implement the information security
program and objectives, as approved by the Board of Directors, including
strategies to monitor and address current and emerging risks.
Oversee development, accuracy, and
compliance with corporate security policies, standards and procedures.
Work with senior management and the
Board of Directors to ensure information security protection policies are being
updated, implemented, reviewed, maintained, and governed effectively.
Report significant security events to
the Board, IT Steering Committee, government agencies, and law enforcement, as
Provide periodic reporting to the Board
of Directors regarding the status of the information security program including
those items required by the FFIEC guidelines.
Develop quarterly metrics for the IT
Steering Committee and the Board of Directors.
Lead incident response efforts to
contain, investigate, and prevent security breaches.
Develop timely responses and action
plans to address findings from internal and external audits.
Provide updates to senior management
and the Board on cyber risk trends.
Assist in collecting documentation from
IT and business departments in preparation for regulatory exams and annual
Review new programs, systems, and
processes for security exposure.
On a regular basis tests systems for
Security preparation and readiness.
Other duties and responsibilities as
Identification & Monitoring
Perform comprehensive IT risk identification
which includes identification of cybersecurity risks as well as gathering of
details during information security risk assessments required under GLBA
Identify cybersecurity risks and
evaluate the bank’s cybersecurity preparedness.
Maintain and update a repository of
cybersecurity threat and vulnerability information that may be used in
conducting risk assessments.
Review existing systems and develop and
maintain ongoing comprehensive written information security risk assessments.
Monitor for emerging risks and
Ensure proper design and implementation
of the corporate SIEM, IDS/IPS, and other monitoring systems.
Review monthly network vulnerability
assessments, interpret the results, validate potential exposures, and provide a
periodic written assessment.
Perform analysis of logs from several
systems to identify unexpected or malicious activity.
Monitor security audit and intrusion
detection system logs for system and network anomalies.
Track the status of known information
security exposures, and work with IT and business departments to facilitate
remediation of those exposures.
Inform the Board and management of
information security and cybersecurity risks and the role of staff members in
Lead information security awareness and
training initiatives to educate staff members about information risks.
Participate in industry collaborative
efforts to monitor, share, and discuss emerging security threats.
Provide input and guidance for the
planning, research, and design of IT security architectures and data
Partner with IT management to develop
and maintain security requirements for local area networks (LANs), wide area
networks (WANs), virtual private networks (VPNs), routers, firewalls, and
related network devices.
Work with management in the lines of
business to understand the flows of information, the risks to that information,
and the best ways to protect the information.
Engage with management in the lines of
business to understand new initiatives, provide information on inherent
information security risk, and ensure appropriate consideration of risks
involved with new products, emerging technologies, and information systems.
Provide guidance on security protocols,
data encryption standards, firewall configurations, daily maintenance of
security tools, updating of antivirus/malware monitoring tools, detection and
response to security alerts and other various information security measures.
Ensure patch management is completed
accurately and timely.
Ensure that the access control,
disaster recovery & business continuity controls, incident response, and
risk management needs of the organization are properly addressed.
Assist on all audit and examination
initiatives and track IT remediation activities related to independent
vulnerability testing, risk analyses, security assessments and exam
mitigation/controls in conjunction with Internal Audit and Risk Management.
Certify deployments as compliant with
procedure and policy.
Adhere to the BSA policy and all other
Other duties and responsibilities may
be assigned by supervisors.
Minimum Qualifications (Education,
The incumbent is required to maintain
the integrity of bank customer information and protect Information Technology
Requires experience working with IP
networking, networking protocols including DNS, electronic mail, and a thorough
understanding of security related technologies including encryption, VPNs,
firewalls, proxy services, and access-lists.
Bachelor’s degree in Computer Science,
Cybersecurity, or related technical field. Other degrees with requisite
information technology and/or information security experience will be
A Master’s degree with a concentration
in IT security is preferred.
7 – 12 years working in IT and
security, preferably in the banking or financial services industries.
5+ years managing security
CISM (Certified Information Security Manager)
CISSP (Certified Information Systems Security
Demands and Work Environment
physical demands described here are representative of those that must be met by
an employee to successfully perform the essential functions of this position.
Reasonable accommodations may be made to enable individuals with disabilities
to perform the functions.
performing the duties of this position, the employee is regularly required to
talk and hear. The employee frequently is required to use hands or fingers,
handle, or feel objects, tools or controls. The employee is occasionally
required to stand; walk; sit; reach with hands and arms; climb or balance; and
stoop, kneel, crouch, or crawl.
employee must occasionally lift and/or move up to 25 pounds. Specific vision
abilities required by this position include close vision, distance vision,
color vision, peripheral vision, and the ability to adjust focus.
noise level in the work environment is usually moderate.
job description in no way states or implies that these are the only duties to
be performed by the employee(s) incumbent in this position. Employees will be required to follow any
other job-related instructions and to perform any other job-related duties
requested by any person authorized to give instructions or assignments.
duties and responsibilities are essential functions and requirements and are
subject to possible modification to reasonably accommodate individuals with
disabilities. To perform this job
successfully, the incumbents will possess the skills aptitudes and abilities to
perform each duty proficiently. Some
requirements may exclude individuals who pose a direct threat or significant
risk to the health or safety of themselves or others. The requirements listed in this document are
the minimum levels of knowledge, skills or abilities.
document does not create an employment contract, implied or otherwise, other
than an “at will” relationship.
FIRST GUARANTY BANK is an EEO employer - M/F/Vets/Disabled