Job Information
Main Street Bank VP, Information Security in Marlborough, Massachusetts
VP, Information Security
Job Details
Level
Experienced
Job Location
26 Forest St Operations - Marlborough, MA
Position Type
Full Time
Salary Range
$125,000.00 - $150,000.00 Salary/year
Job Category
Banking
Description
Title: VP of Information Security
FLSA Status: Exempt Employment Status:Full Time
Department: Enterprise Risk Management Location:Operations Center Marlborough/ Hybrid Eligible
Reports To: EVP of Strategy & Risk
Date Prepared: August 26, 2024 Human Resources Review:August 30, 2024
SUMMARY:
Reporting to the EVP of Strategy & Risk, the VP of Information Security has the overall responsibility for leadership and management of Information Security, Privacy, Vendor Management and Disaster Recovery/Business Continuity Programs. This position is responsible for all aspects of Gram-Leech-Bliley Act compliance. It’s expected that this individual will offer guidance to help the Bank achieve its short and long-range strategic plans. It’s expected that this individual will continually stay relevant with emerging cybersecurity trends and practices. It’s vital to utilize various threat intelligence sources and stand ready to activate our incident response plan. Additionally, it is expected that this position assists with projects that affect the department and the bank, act as a resource for other team members in the Enterprise Risk department and the Bank embracing the established sales and service culture to maximize their contribution to the Bank’s goals.
After successful completion of training and proven abilities, this position is eligible for a hybrid work arrangement with Consistent availability is expected during core business hours and agreed upon number of days per-week/month on site.
ESSENTIAL DUTIES and RESPONSIBILITIES:
In the performance of respective tasks and duties, the employee is expected to successfully perform quality work within deadlines with or without supervision, interact professionally with other employees, customers and vendors; work effectively as a team contributor on all assignments and work independently while understanding the necessity for communicating and coordinating work efforts with other employees and organizations.
Information Security
Define strategy, direction and lead the continuous improvement of the Bank’s information security, asset protection, data governance, compliance programs and data management in a fully functional, compliant, and secure mode.
Develop and deliver board-level reporting on ways to measure cyber security preparedness and
Prioritizes and executes on investments that mitigate overall cybersecurity risks, enhances defenses, and mitigates security exposures, direct implementation of new cyber security solution.
Establish and maintain policies, procedures, standards, and guidelines that enable the Bank’s information security strategy based on established cyber security frameworks (NIST, FFIEC, etc.).
Reviews regularly scheduled information risk and security functions on various systems and applications in accordance with established standards and procedures. These systems include but are not limited to patch management, firewall, user access reports, user roles, and antivirus.
Act as incident manager for cyber security incidents, and be the point of escalation
Investigate insider threats and cyber security events, perform digital forensics, and document incidents
Provide strategic risk guidance for IT projects, including evaluation and recommendation of technical controls and disaster recovery procedures
Design, perform, and/or oversee penetration testing, vulnerability assessments, and social engineering testing.
Perform risk assessments to identify gaps in compliance to information security (application and infrastructure) and compliance (including the GLBA) for both internal technology solutions as well as solutions provided by third-party service providers
Offer guidance to special technology-based projects
Maintain a thorough understanding of global, regional, and local regulatory requirements that have technology impact
Review security aspects of third-party service provider contracts and assisting business units with legal and regulatory requirements concerning security processes and requirements
In conjunction with Training department, deliver training, employee on-boarding, awareness campaigns, and tests/simulations to measure their effectiveness, on all aspects of Information Security
Vendor Management
Establish and maintain policies, procedures, standards, and guidelines for the Bank’s Vendor Management Program
Evaluate potential and current vendors to quantify risks, develop risk mitigation strategies for strategic vendors with business leaders, and develop and manage a comprehensive vendor risk management strategy.
Monitor and provide regular reporting on the Vendor Management Program and status of new and on-going vendor reviews.
Guide business units on the principles and process steps within the vendor management business process for evaluation, selection, contract review, and performance
Assist business units with third-party service provider/vendor reviews including evaluating and responding to SSAE18 (SOC) reports and reviewing policies related to information security and DR/BCP.
Reviewing third-party service provider contracts and assist business units with legal and regulatory requirements (GLBA), SLA requirements, data protection requirement, data breach reporting, confidentiality, and compliance with customer data privacy laws (MA 201 CMR 17.00).
Disaster Recovery and Business Continuity
Develop and maintain the Bank’s Disaster Recovery / Business Continuity Plan and Incident Response Plan.
Develop disaster recovery plans for physical locations with critical assets such as data centers.
Maintains and review each business unit’s Business Impact Analysis to ensure business units are properly prepared in case of disaster; monitor on-going testing of individual recovery plans within each business unit
Lead, coordinate, and document regularly scheduled Disaster Recovery / Business Continuity testing
Assist in leading the Bank’s crisis team in the event the BCP is activated
Privacy
Establish and maintain policies, procedures, standards, and guidelines for the Bank’s Privacy Program
Responsible for updating Privacy Policy and notices, as necessary
Responding to data subject requests, as applicable.
Conduct privacy impact assessments for new products or initiatives to evaluate and mitigate risks related to processing, transmission, and storage of Non-Public Customer Information.
Remain current on the evolving privacy legal and regulatory landscape and assess the potential impact on the Bank’s operations as well as on its products and services offered to consumers; collaborate to ensure projects and tasks are initiated to reflect the changing landscape.
General
Serve as the Board of Directors appointed Information Security Officer, Red Flags, and Privacy Officer.
Prepare and maintain budget for Capital Expenditures and Operating Expenses related to all areas of responsibility
Assist internal, external, and regulatory auditors with the collection of requested materials as assigned with their respective engagements.
Provide regular reporting to the Board of Directors for the Information Security Program and all GLBA compliance. Conduct Board of Directors training and presentations as required.
Ensures that area of direct responsibilities operate within guidelines set for State and Federal laws.
Participates in user groups for third-party services providers, industry trade groups and educational programs to remain abreast of current issues, and requirements that impact the Bank.
Coordinates materials and responses for examinations, internal or external and ad hoc regulatory inquiries related to all areas of responsibility.
Participates in and represents the bank in the Community (events and organizations).
Contributes to the effective team management of all Main Street Bank issues, opportunities, and problems. Readily volunteers and accept assignments to special task forces established to address specific issues and opportunities.
In the performance of respective tasks and duties, the employee is expected to maintain knowledge of and ensure compliance with Bank Secrecy Act regulations and adheres to compliance procedures and internal/operational risk controls in accordance with any and all applicable regulatory standards, requirements and policies as well as attending all required training sessions and completing all required on-line training courses.
Other duties as assigned, performing similar or related work as directed, required, or as situation dictates.
LEVEL OF RESPONSIBILITY:
Participates in developing and executing the strategic Information Security Plan to meet the bank’s overall competitive position within the financial services industry.
Works independently along all staff levels and with complex and proprietary information.
Influence as subject matter expert to help guide the leadership team in Information Security, Physical Security and Privacy decisions.
SKILLS REQUIRED:
Bachelor’s Degree in Computer Science, Information Security, Information Technology, or another relevant field.
7 - 10 years of Information Security, Information Technology, and/or Fraud Investigations
Certification in Information Security (Security+, CISSP, CISM, CISA) - Desirable
Extensive proven background in compliance and information security in a regulated industry (financial, health care, government, etc.)
Strong risk management skills and mindset
Extensive knowledge of cyber security concepts, principles, methods, and products
Extensive knowledge networking, firewalls, routers, switches, IPS/IDS systems, DLP tools, and endpoint protection.
General knowledge of virtualization using VMWare ESXi and Microsoft Hyper-V
General knowledge of cloud services using Microsoft Azure and Amazon AWS
General knowledge of financial and banking technology including core banking software, loan origination platforms, online and mobile banking platforms, general ledger software, ATM technology, etc.
Must have a thorough understanding of access control, video management systems and alarm systems.
Proficiency in interpreting and analyzing impact of federal and state regulations, with particular proficiency in consumer and other lending regulations required.
Experience performing compliance reviews/audits for a financial institution.
Experience in developing and delivering Information/Cyber Security or other technical training.
Proficient in Microsoft Office Suite products
Solid understanding and application of and ability to operate standard office equipment
Means and mode to travel to any of Main Street Bank’s locations as needed on a regular basis.
EQUIPMENT REQUIRED:
Smart Phone - To enable the MFA (Multi Factor Authentication) facilitating access to MSB systems.
HYBRID/REMOTE ENVIRONMENT:
Your physical remote location must provide a dedicated workspace that is free from distraction and provides adequate light to be regularly visible on video calls.
You must have access to a reliable internet connection with adequate bandwidth to join Teams and other video calls.
COMPETENCIES:
Natural leader with responsive and positive communication (written & verbal), effective relationship management techniques and interpersonal skills, ethics, and cultural awareness to build strong relationships with direct reports and cross-functional teams throughout the organization.
Critical thinker who can digest complex problems, articulate risks and mitigating factors, navigate situations involving the need for trade-offs, and recommend solutions which meet the needs of all stakeholders.
- Highly detailed, organized and professional
Strong problems solving abilities and superior follow up skills
Relationship Builder - Develops and maintains relationships with officers, employees and external contacts and maintains alignment with core values, vision, strategy and goals.
Technology Savvy - Utilize technology/systems to improve work processes and use a range of technology to solve problems
LANGUAGE/COGNITIVE SKILLS:
The language and cognitive ability demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
The person in this position frequently communicates with all departments, customers and vendors about banking products and services, and therefore must be able to exchange accurate information in these cases. They will need to use judgment and discretion in decision making situations, interpret and follow all Bank policies and procedures, write/create reports, and business correspondence, (Main Street Bank’s standard language is English). As well as the ability to:
Speak and effectively present/communicate information and respond to questions from customers, groups of managers, Board of Directors, vendors, and other employees.
Define problems, collect data, establish facts, and draw valid conclusions.
Read, analyze and interpret a variety of documents such as those related to transaction history and Bank policies and procedures.
WORKING CONDITIONS AND PHYSICAL EFFORT:
The physical and work environment demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
While performing the duties of this job, the employee is required to:
Physical Demands/Efforts
Occasionally lift and/or move up to 25 pounds, (i.e., boxes of files)
Regularly required to remain in a stationary position, greater than 75% of the time
Occasionally required to stoop and bend.
Mental & Visual Demands
Regularly operate a computer for extended periods of time
Specific vision abilities may be required by this job include close vision, distance vision, peripheral vision, depth perception, and ability to adjust focus.
Regular use of office productivity machinery (i.e., a calculator, copy machine, fax machine, computer printer).
Work Environment and Hazards
Regularly move throughout the inside the Bank to access resources and individuals.
Occasional local travel for bank purposes and/or on behalf of the bank (i.e. audits, branch training, networking, seminars).
The employee must be able to work schedules that meet the needs of the bank, which may include early morning, evening and/or weekend hours.
When in the office, it is a general office environment where the noise level is moderate.
Qualifications
The completion of this Application for Employment does not assure a position with Main Street Bank and any offer of employment is conditioned on the satisfactory completion of a background and credit review as determined by the sole discretion of Main Street Bank. Neither this Application for Employment nor any document constitutes a contract of employment for a specific term and that any employment relationship that may be established will be 'at-will' and if hired, may be terminated at any time, for any reason, by the applicant or Main Street Bank.
Massachusetts Law - It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.
Massachusetts General Laws c. 151B prohibits employers from (1) terminating or refusing to hire individuals on the basis of genetic information; (2) requesting genetic information concerning employees, applicants, or their family members; (3) attempting to induce individuals to undergo genetic tests or otherwise disclose genetic information; (4) using genetic information in any way that affects the terms and conditions of an individual’s employment; or (5) seeking, receiving or maintaining genetic information for any non-medical purpose.
Main Street Bank is an Equal Opportunity Employer, we are committed to recruiting, hiring, training, and promoting persons without regard to race, color, religion, national origin, citizenship, age, sex, marital status, ancestry, physical or mental disability, veteran status, sexual orientation, military service, genetic information, and gender identity.