Information Security Officer
Department: Information Technology
Reports to: SVP, Chief Information Officer
Level: Level 4
Location(s): Sanford, Maine
Responsible for developing and monitoring a strategic, comprehensive, and cost-effective enterprise information security program designed to ensure the integrity, confidentiality and availability of information owned, controlled or processed by the bank.
- Bachelor’s degree in computer science or related technical field or combination of equivalent education and related experience
- Minimum of Five years experience in Information Technology, with preference given to experience within a banking environment.
- Demonstrated knowledge in following areas: Firewall Administration, Intrusion Detection, Incident Response, Data Encryption, Network Access Controls, Threat Management, and proper IT related Security Controls.
- Familiarity with a multiple platform environment and their varying operational/security risk considerations.
- Understanding of proper Vendor Management program and practices related to protection of NPPI and GLBA compliance.
- Familiarity and demonstrated knowledge related to appropriate Business Continuity practices.
- Strong oral and written communication skills.
- Highly adaptive to a constantly changing business and technology environment.
- Ability to work in partnership with IT personnel in order to ensure the security and integrity of customer and employee data.
- Excellent analytical and problem-solving skills.
Specific Job Functions:
- Develop and maintain up-to-date enterprise information security policy and program aligning the bank’s risk tolerance with our business goals.
- Coordinate with the Information Technology department to ensure that technology assets are properly configured and monitored and that new assets introduced to our network are properly vetted and configured in a manner consistent with the bank’s security goals.
- Provide the necessary expertise to implement information security architecture, risk management standards, best practices, and processes to ensure information privacy and protection.
- Interact with management to determine acceptable levels of risk as the business lines and subsequent risk profile changes and align the information security program accordingly.
- Monitor security reports and logs in a timely and analytical manner sufficient to determine any potential irregularities or unidentified risks.
- Manage the banks information security awareness training program for all employees.
- Manage and maintain the bank’s IT Risk Assessments on a continuous basis and report results to the bank’s Risk Committee and Board of Directors.
- Review internal and external network and system vulnerability scan results and identify areas of concern and possible improvement. Approve the scope of external penetration assessments and internal vulnerability scans.
- Review security and best practice requirements on the bank’s critical applications as needed.
- Support and monitor Information Technology concerning security related aspects of their job including: Firewall Administration, Intrusion Detection, Communication Systems, Incidence Response, Data Encryption, Access Controls, Threat Management, and other information security related functions. Make recommendations for improvement to security standards, respond to policy violations and act as a participant in the event of a breach.
- Attend seminars and classes as required to maintain a high level of proficiency in the field of information security and business resumption.
- Manage and act as the point person for the bank’s Vendor Management program and practices to ensure it is effective in protecting NPPI and complies with GLBA.
- Perform ongoing assessment of the bank’s Business Continuity program to determine its effectiveness and report the results of this assessment to the Board annually.
- Acts as key point of contact regarding information security with all departments of the bank, external auditors, and bank examiners.
- Stay abreast of all information security related laws and regulations to ensure compliance.
- Stay abreast of the threat landscape by subscribing to cyber threat information sharing resources i.e., US-CERT, FS-ISAC, InfraGard, etc.
This Job Description describes the essential functions and qualifications of the job described. It is not an exhaustive statement of all the duties, responsibilities or qualifications of the job. This document is not intended to exclude modifications consistent with providing reasonable accommodations for a disability. This is not a contract.