The information security officer (ISO) coordinates, and oversees the establishment and maintaining of new and existing security strategies , initiatives, and standards for California Bank of Commerce to ensure information, assets, and technologies are protected. The ISO is responsible for planning, directing and coordinating the information security policies and setting procedures and guidelines to ensure that all information systems are functional, secure and safeguarded. The ISO also identifies, develops, work to implement polices to reduce information and cybersecurity risks in compliance with privacy, customer trust, and laws and regulations, applicable to financial institutions by government regulators. The ISO will work with stakeholders throughout the organization to develop business cases for new security projects and in the risk assessment of existing and planned information systems. Additionally, the ISO is responsible for providing leadership in insuring the technical and administrative support, validation, and improvements of Disaster Recovery and Business Continuity Programs for the bank.
- Develop and/or maintain appropriate Segregation of Duties (SoD) within and across applications.
- Research and investigate measures that address data security risks and potential losses.
- Install, modify, enhance, and maintain data system security software including continued development and monitoring of the Bank’s Data Loss Prevention (DLP) program.
- Work on determining acceptable risk levels for the enterprise and ensure the IT environments are adequately protected from potential risks and threats.
- Participate in development and implementation of the appropriate and effective controls to mitigate identified threats and risks.
- Follow-up on detected security issues and implement solutions to reduce security risks.
- Assist in the research, development, communication, maintaining and working with the operational units on the enforcement of IT security architecture, policies, procedures, solutions and standards.
- Support improved data security awareness and education throughout the enterprise.
- Responsible for staying abreast of the latest industry security practices, trends and technologies.
- Meet with Business Unit Managers and application owners to analyze, define, maintain, and audit security permissions and roles for new and existing applications. Communicate access permissions with employees to ensure work requirements are met.
- Deliver services that meet regulatory specifications. Work with internal and external auditors to document and confirm that all security administrative duties are properly performed and report on overall compliance.
- Manage and oversee the development, implementation, and tracking of the Bank’s information security policy and procedures to the employee training program to educate awareness of social engineering such as email and voice phishing. Employees will be tested every quarter, and results and need for any education will be reported.
- Establish and maintain Cybersecurity Risk Assessment framework (NIST/FFIEC-CAT) to identify, measure, monitor and control/manage regulatory risk categories.
- Establish and maintain a Gramm Leach Bliley Act (GLBA) Risk Assessment framework to identify, measure, monitor and control/manage regulatory customer privacy risk categories.
- Establish an ongoing reporting process to ensure that senior management and the Board of Directors are kept appraised of the effectiveness of Information Technology security and incident resolution.
- Annually provide the full Board with an assessment of the Bank’s Information Security program in accordance with the GLBA.
- Audit, report and validate IT internal controls, and Change Management compliance to Bank policies and regulation requirements, including Federal Deposit Insurance Corporation Improvement Act (FDICIA) and the FFIEC IT Examination Handbook.
- Oversee the development, maintenance, management, and periodic validation, of the Bank’s Business Continuity Plan and Business Impact Analysis documentation.
- Act as the primary administrator of the Technology department’s vendor management program and perform ongoing monitoring of critical and significant vendors, including (but not necessarily limited to) the review of annual control attestation reports and business continuity plans.
- Participate in monthly Risk & Technology Committee meetings.
- Work closely with the SEVP of Technology & Operations, Technology Manager and internal auditors as a liaison with regulators and law enforcement agencies on IT Bank compliance.
- Develop a plan and manage related vendors to provide physical security and law enforcement communications through adequate alarms and surveillance of the Bank’s premises.
- Work closely with the Facilities personnel to develop and implement physical security procedures and processes for all of the Bank’s locations, plans for reducing or eliminating premises liability issues and site analysis and threat assessment documentation.
- Act as a member of the incident response team. Document and report the results of investigation of security breaches.
- Subscribe to threat notification networks, new regulations, and information sharing networks to stay current on requirements and new threats to the industry.
- Manage additional Information Security projects as assigned, including the evaluation of any new applications and/or vendors for IT security adequacy.
- Maintain all appropriate IT and IT compliance records as required by laws and by internal policies.
- Comply with all applicable Banking compliance rules and regulations established by both internal departments and external agencies.
- Develop/Maintain/Test the Bank’s Disaster Management and Business Continuity Plans.
EDUCATION AND EXPERIENCE
- A Bachelor’s degree in computer science or related field, minimum 5+ years of progressive experience in information security and banking industry.
- Must be a persuasive leader who can serve as an effective member of the management team and who is able to communicate security-related concepts to a broad range of technical and non-technical staff. Acting as a bridge between IT and business process owners.
- Certification is required, such as CISA, CISM or CISSP (or willingness to pursue).
- Five (5) years of experience.