Salem Five Bank Information Security Officer (ISO) in Salem, Massachusetts
Salem, MA, USA
Information Security Officer (ISO)
Department: Legal and Operational Risk
The ISO is responsible for developing, maintaining, and managing an Information Security Program to protect the organization’s information assets. The ISO will work with other functions [e.g., Compliance, Digital Delivery, Enterprise Risk Management (ERM), Fraud, I.S., Legal, Operations, Physical Security] to proactively identify, assess, mitigate, monitor, and report on information security risks. The ISO will play a critical role in supporting senior management in ensuring that a cohesive structure and process exists to manage the variety of information security risk impacts that face the organization. The responsibilities described herein are commensurate with the current size and complexity of the financial institution; as the institution increases in size and complexity, other duties may be assigned.
The ISO is responsible and accountable for demonstrating a commitment to the company’s mission statement including understanding that all divisions of Salem Five work together for one common purpose which is to delight our customers. The ISO must embrace new and emerging technologies to support operations through flexibility, the ability to learn, and adaptability to change.
ESSENTIAL DUTIES AND RESPONSIBILITIESinclude the following. Other duties may be assigned.
The ISO is responsible for (a) recommending a comprehensive Information Security Program (ISP), (b) assessing and monitoring information security risks across the enterprise, and (c) making recommendations to enhance the ISP.
The ISO is independent of IT Operations and is responsible and accountable to:
- Oversee and monitor implementation of the information security strategy and objectives, as approved by the Board of Directors and in accordance with legal requirements and industry standards (e.g., FFEIC, NIST, CIS), including strategies to monitor and address current and emerging risks.
- Engage with management in the lines of business to understand new initiatives, provide information on the inherent information security risk of these activities, and recommend ways to mitigate the risks.
- Work with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information.
- Monitor emerging risks and recommend mitigations. Coordinate relevant risk assessments (e.g., business continuity, cybersecurity, data privacy, multi-factor authentication) to ensure information security risks are accurately identified/measured/monitored/mitigated/reported, and provide recommendations regarding aligning risk appetite and strategy, as well as, enhancing risk response decisions (risk avoidance, reduction, sharing, and acceptance).
- Inform the board, management, and staff of information security and cybersecurity risks and the role of staff in protecting information. Report progress of the overall status of the ISP and compliance with guidelines to the Information Security Committee (ISC), the ERM Committee, and the Board of Directors. Report significant security events to these same groups as well as government agencies, and law enforcement, as appropriate.
- Champion enterprise-wide information security awareness and training programs. This includes obtaining and maintaining necessary training to keep current on information security risks.
- Participate in industry collaborative efforts to monitor, share, and discuss emerging security threats.
- Establish a framework for standards and practices relative to enterprise-wide information security risk management and ensure effective oversight of risk mitigation activities that support the ISP.
- Monitor and assess information security risk through regular quantitative and qualitative risk analysis of the adequacy and effectiveness of (a) administrative, physical and technical safeguards to protect the Bank's information assets from internal and external threats and (b) compliance with legal/regulatory requirements and internal policies/procedures/guidelines.
- Develop metrics/reports/dashboards to measure ISP effectiveness and increase the maturity level of the ISP over time. Provide recommendation to the Information Security Committee to enhance the ISP.
- Provide for independent assessment of the design and operating effectiveness of ISP’s information security environment including, but not limited to the following: strategy, security architecture, and supporting policies/procedures. Provide recommendations to the EMT/SVP Bank Counsel Division Head, the Director of ERM, the CIO, and executive management to enhance IT security.
- Act as Chair of the Information Security Committee (ISC).
- Establish, maintain, and oversee the enterprise-wide Breach Response Program. In coordination with the Director ERM and the CIO, responsible for managing and mobilizing the Incident Response Team to respond security events to protect the institution and its customers.
- Provide information security leadership regarding ISP-relevant enterprise-wide programs (e.g., business continuity, records management, vendor management).
- Keep abreast of federal and state legislative, regulatory and judicial changes, as well as industry trends related to information security. Ensure compliance with laws and regulations as defined in company policies and procedures pertinent to position, including but not limited to GLBA, FFIEC, NIST, and CIS guidance.
- Serve as liaison to auditors and examiners for requests and inquiries related to the ISP aspects of regulatory examinations, external audits, and internal audits. Monitor the status of corrective actions on findings noted.
Additional essential duties and responsibilities include assessing/recommending/monitoring ISP-related initiatives that effectively support the Bank’s strategic vision; actively participating in meetings by contributing to discussions which support organizational strategy; and attending corporate, employee, and community events as required.
Regular attendance is essential to this position.
Assumes additional responsibilities as requested.
As the financial institution increases in size and complexity, the ISO may have direct supervisory responsibilities for management of employees within the Legal and Operational Risk Division. Would be responsible for the overall direction, coordination, and evaluation of this unit. Carry out supervisory responsibilities in accordance with the organization's policies and applicable laws. Responsibilities include leading, managing, training, coaching, and developing employees; planning, assigning, and directing work; appraising performance; identifying, addressing, and resolving issues in accordance with the company's policies and practices.
To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions. Must be able to travel as needed.
EDUCATION and/or EXPERIENCE
A Bachelor’s degree and work experience in IT or information security or equivalent banking technical information security knowledge (e.g., IT audit) is required. Minimum of ten years of varied banking experience within a combination of at least two of the following disciplines: risk management, audit/examination, information security/technology, and operations. Experience in a banking/financial services regulated environment strongly preferred. Should be comfortable interacting with all levels of bank management, regulatory examiners and external auditors. Ideally, demonstrated understanding of security requirements for Data Privacy Laws (e.g., GLBA, MA law, EUGDPR), FFIEC Guidelines, NIST framework, CIS standards, and PCI. Ideally, experience with a hybrid of cloud and on-premise based systems.
CERTIFICATES, LICENSES, REGISTRATIONS
Maintaining and/or pursuing one of the following designations is desirable, but not required: CISSP, CISM, or CISA.
Demonstrated proficiency and ability to effectively utilize information security tools, cybersecurity tools, and Microsoft applications (Word, Excel, Access, Outlook, PowerPoint) tools. Ability to effectively utilize electronic banking applications. Ability to learn and effectively utilize query and Governance/Risk/Compliance (“GRC”) tools.* *
Ability to read, analyze, and interpret general business and technical periodicals, professional and technical journals, technical procedures, financial reports, legal documents, SSAE16 or SSAE18 or equivalent reports, or governmental regulations. Ability to write policies, procedures, minutes, reports, and business correspondence. Ability to communicate clearly and concisely with all levels of staff, executive management, management, Board, bank regulators, public groups, customers, and other external parties both in oral and written formats. Ability to effectively present information and respond to questions from these same groups.* *
Ability to calculate figures and amounts such as discounts, interest, commissions, proportions, percentages, area, circumference, and volume. Ability to apply concepts of basic algebra. Ability to work with mathematical concepts such as probability and statistical inference, and fundamentals of plane and solid geometry. Ability to apply these concepts to practical situations.
Ability to define problems, collect data, establish facts, and draw valid conclusions. Ability to interpret an extensive variety of technical instructions in mathematical or diagram form and deal with several abstract and concrete variables.* *
OTHER SKILLS AND ABILITIES
Ability to successfully work on a variety of cybersecurity, information security, business, risk, and regulatory issues of a time-sensitive and confidential nature. Ability to assess risk from a macro level perspective, including having a solid understanding of the relationship between technology and operations. Advanced knowledge and experience of cybersecurity risk management, key information data security risk exposures, and FFIEC regulatory requirements.
The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. While performing the duties of this job, the employee is frequently required to sit. While performing the duties of this job, the employee is regularly required to stand; walk; use hands to finger, handle, or feel; reach with hands and arms; stoop, kneel, crouch, or crawl; and talk or hear. The employee is regularly required to sit and perform data entry. The employee is regularly required to bend, climb, and balance. The employee must occasionally lift and/or move objects up to 45 pounds; the employee must exert up to 50 pounds of force occasionally and/or up to 25 pounds of force constantly to move objects. Specific vision abilities required by this job include close vision.
The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions. The noise level in the work environment is usually moderate. Flexible hours, including some evenings and weekends, as the job demands require.
With a rich history and a strong reputation for growth, service and innovation, Salem Five offers employees a sense of stability and pride. Salem Five also offers a comprehensive salary and benefit package including health insurance and matching 401k plan. Qualified candidates may submit a resume and application online at salemfive.com/careers or mail your resume to Human Resources, 210 Essex Street, Salem, MA 01970.
Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities
The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor’s legal duty to furnish information. 41 CFR 60-1.35(c)
Posted: April 8, 2021