Information Governance and Risk Manager

Description

The Information Governance and Risk Manager is responsible for overseeing and reporting on the governance, risk, and compliance (GRC) of information security risks mitigation activities across the Bank.  This position is a critical assurance role which must identify and implement current internal IT GRC practices to ensure companywide compliance with all regulatory and appropriate industry best practices.

PRIMARY DUTIES/RESPONSIBILITIES:

Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time with or without notice.

• Oversees and reports on the management and mitigation of information security risks across the Bank, reporting directly to the CEO.
• Develop, implement and maintain IT governance frameworks, policies, and procedures to ensure alignment with organizational goals and objectives as well as industry and regulatory standards such as NIST and the Gramm-Leach-Bliley Act (GLBA).
• Ensures that access control of data is assigned to the appropriate Data Owners and reviews of access control are performed by those designated data owners.
• Review and approve security exception requests that expose the Bank to organizational risks (Firewall requests, website access, etc.).
• Reviews and writes privacy and GLBA related policies and procedures and submits annual reports to the Board of Directors detailing privacy and GLBA issues.
• Monitors and addresses current and emerging risks, and in collaboration with the Bank’s Chief Technology Officer, Technology Steering Committee and Executive Management, develops and implements strategies and controls to mitigate risks.
• Conducts ongoing information security compliance monitoring activities, performs safeguarding customer information risk assessments for all areas of the Bank and works with personnel throughout the Bank on identifying acceptable levels of residual risk.
• Participates in major information technology projects of the Bank assuring that effective processes for information technology risk management, including those that relate to cybersecurity, are in place.
• Engages with management in lines of business to understand new initiatives, provides information on the inherent information security risk of these activities, and outlines ways to mitigate the risks.
• Champions security awareness and training programs, fostering a culture of IT compliance and risk awareness throughout the organization.
• Participates in industry collaborative efforts to monitor, share, and discuss emerging security threats, maintains advanced knowledge and awareness of financial industry technical status and trends.
• Participates as a member of the Incident Response Team in the event of a technology incident, assists in the establishment of procedures to address security incidents and partners with members of management to investigate and resolve potential security breaches.
• Serves on the Bank’s Technology Committee and Technology Steering Committee to assist in defining information security objectives, and provide strategic and visionary planning, risk management, resource allocation, monitoring of the information security landscape, and evaluation of the status and success of projects.
• Reports significant security events to the Board of Directors, Technology Committee, Chief Technology Officer, Executive Management, government agencies and law enforcement, as appropriate and works with the Bank Secrecy Act Officer and Bank Security Officer in the completing and filing of Suspicious Activity Reports (SARs) if warranted.
• Responsible for the enterprise-wide Business Continuity Planning (BCP) including the established and validation of policies and procedures to restore business critical services of the Bank in the event of a disaster or event. Ensures that each department or division has an up-to-date appropriate plan.
• Develops, implements, and monitors information security policies and controls to ensure data integrity, security, systems performance, and legal and regulatory compliance. Must ensure compliance with internal and external audit requirements. Must maintain advanced knowledge of cyber security issues, requirements, laws, and trends.

COMMITTEES

• Management Team
• Technology Committee
• Technology Steering Committee
• Technical Change Advisory Board

Qualifications

EXPERIENCE REQUIREMENTS:

• Bachelor’s degree in IT governance, risk management, and/or compliance is Required.
• 4 years of work experience in IT governance, risk management, and/or compliance is required, preferably including GLBA compliance experience in the financial services industry.
• 1 years of prior management and/or leadership experience is required.
• Education experience, through in-house training sessions, formal school, or financial industry related curriculum, should be business or financial industry related.

EDUCATION REQUIREMENTS:

• Bachelor’s degree in Information Technology, Computer Science, or related field or related experience.  Master’s degree is a plus.
• Professional security management certification as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials are preferred.

OTHER REQUIREMENTS (SKILLS, ABILITIES, CHARACTERISTICS):

• Advanced knowledge of Bank operations, related state and federal laws, rules and regulations and other Bank operational policies and procedures.
• Mastered experience, knowledge and training in progressively responsible information technology department operations, management and supervisory activities.
• Demonstrates strong business judgment and decision-making skills; ability to identify, prioritize and articulate highest impact initiatives.
• Excellent interpersonal skills, enabling the individual to successfully motivate and work with a diverse group of people.  Enjoys working in a collaborative, team-based environment.
• Excellent organizational and communication skills. Must be able to explain technical concepts in simple terms to colleagues without a technical background.
• High level of problem-solving skills enabling individuals to take responsibility and/or risk to resolve situations where the outcome will reflect our commitment to quality and client satisfaction. 
• Effective budget management.
• The Information Security Officer’s success depends on the ability to work with executive leadership, key stakeholders, technical teams, business analysts, consultants, auditors, and vendors to manage projects, find solutions, maximize quality, and ensure security and compliance.

ADDITIONAL INFORMATION

SUPERVISORY RESPONSIBILITY: No

WORKING CONDITIONS:  Normal office environment

EOE Veteran/Disability