SVP, Information Security Officer (ISO)

Reports to:  EVP, Chief Risk Officer

Location:  Downtown Los Angeles, CA

Job Code:  Y85LK

POSITION OVERVIEW

The Information Security Officer’s role is to provide oversight and direction for developing and supporting Information Security initiatives. The Information Security Officer (ISO) assists in the planning and implementation of the company IT system, business operation, and facility defenses against security breaches and vulnerability issues. This individual is also responsible for directing the administration of security policies, activities, and standards. The ISO should be responsible and accountable for administration of the Information Security Program. At a minimum, the ISO should directly manage or oversee the risk assessment process, development of policies, standards, procedures, testing, and security reporting processes. To ensure appropriate segregation of duties, the ISO should report directly to the Board or to senior management and have sufficient independence to perform their assigned tasks. The ISO should be risk managers and not a production resource assigned to the Information Technology Department. The ISO should have the authority to respond to a security event by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value. A security event occurs when the confidentiality, integrity, availability, or accountability of an information system is compromised. They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.

POSITION RESPONSIBILITIES

• Overseeing the performance of each risk assessment and the integration of the risk assessments into a cohesive whole
• Prepare and present Risk Analysis to the Board of Directors for approval/disapproval on any risk considered to be too costly or disruptive to be remediated
• Research, develop, implement, test and review an institution’s information security in order to protect information and prevent unauthorized access
• Identify requirements, resources, applicable protection technology, industry “best practices” and administrative procedures pertaining to information protection and making sure the management has working knowledge of this information
• Ensure that facilities, premises, and equipment are secure and adhere to all applicable laws and regulations
• Act as advocate and primary liaison for the company’s security vision via regular written and in-person communications with the company’s executives, department heads, and end users
• Assist with the design, implementation, maintenance and training of disaster recovery and business continuity plans, procedures, audits, and enhancements
• Evaluate new technology prior to purchase or implementation by performing a risk assessment on the technology
• Ensure the development, maintenance and training of Information Security Policies with compliance to Federal and State laws and guidance
• Ensure the development and maintain operational procedures and standards as they relate to Information Security
• Establish a process to identify, track, and report on the results of vulnerability assessments
• Establish a Chain of Custody that documents (in writing) the name, title, office, and phone number of each individual having sequential possession of a system’s hard drive when it is removed due to compromise and the need for possible forensic examination of evidence for potential prosecution
• Development and management of the Incident Response and Reporting Program. This program should include the following elements: Policy, Procedures, Contact Lists; Reporting Forms, Customer Notification Templates; and Testing Criteria. At a minimum an annual table top test should be performed by the Incident Response Team. (The Role the ISO plays during an Incident should be outlined within the Incident Response and Reporting Program.)
• Establish a process to conduct due diligences for the third-party vendors who can access the Bank’s sensitive information.
• Ensuring examiners, auditors, and assessors have the documentation, materials, network and facility access as needed
• Maintaining awareness of the latest threats including: Malware; new attack vectors; attack methodology; threat patterns; trends; and general threat intelligence
• Establishing relationships with Local, State and Federal Law enforcement. The ISO is encouraged to share Incident or Breach information with appropriate individuals to assist in helping others defend themselves
• Creation of an annual Information Security Report and the delivery of this report to the Board of Directors. This report should include elements outlined in Appendix B of Part 364 Interagency Guidelines Establishing Information Security Standards
• Participate in compliance committee meetings, Audit Committee meetings and IT Steering Committee meetings when possible and appropriate. This participation is to ensure: Information Security is considered in all aspects of the business; and an Information Security Dialog can be maintained on an ongoing basis
• Continue their education where possible to keep current on: Information Technology; The Banking Business and products; Current Regulatory requirements and guidelines; and Information Security
• Responsible for ensuring all staff receives security awareness training with current and complete content. The ISO is also responsible for documenting who has had what training and when
• Evaluate, perform and monitor Information Security Risk Analysis for key technology vendors
• Complies fully with all Bank policies and procedures as well as all regulatory requirements (e.g. Bank Secrecy Act, Anti-Money Laundering, Code of Conduct, and etc.). Must complete all required training

EDUCATION and EXPERIENCE

• Bachelors in computer science or equivalent
• Certified Information Systems Security Professional (CISSP) or similar certification preferred
• SANS certifications preferred
• 7-10 years of progressively more responsible Information Security experience
• 5 years Information Security Management experience
• Working knowledge of information security procedures and technologies preferred.
• Must have the proven ability to serve as an effective member of a management team, be an effective leader to a team of highly trained personnel and consultants; and interact effectively with law enforcement agencies, risk and data managers, auditors, consultants, vendors, and stakeholders.

Estimated salary range:  $150K to $180K, medical, dental, vision, life, 401K, vacation

Email your resume in MS/Word format to Guyot@Bankers-Search.com

 Or contact Keith Guyot at (310) 823-1400