Information Security Officer - Ames, United States - Greater Iowa Credit Union

Description

We are currently seeking an Information Security Officer to lead the organization's information security program to protect the organization's information from unauthorized access, modification, disclosure, and destruction. Activities include assessing information security risks, developing information security policies and plans, ensuring an appropriate level of organizational information security awareness, and working across the organization to implement information security controls. This position reports to the Vice President of Information Technology and participates in applicable committees.

**Hours:** Monday - Friday 8am to 5pm, occasionally evenings for monthly board meetings.

**Location:** 1509 Baltimore Drive, Ames, IA 50010; the opportunity to work remote on occasions.

**Essential Functions & Responsibilities:**

Program Leadership. Protects the confidentiality, availability, and integrity of GICU information and technology systems through administrative, technical, and physical controls. Writes and proposes policies, processes, standards, and procedures to reduce information security risk and meet regulatory requirements. Builds and maintains an information security catalog with cross-references to information security program regulatory requirements, contractual requirements, and information security frameworks. Assess information security capabilities against frameworks. Prepares and presents monthly, quarterly, and annual information security reports as directed. Participates in applicable committees as assigned.

Risk and Compliance. Performs risk assessments, including assessing third parties, to identify information security risks including inherent and residual risk levels. Maintains an information security risk register and tracks risk remediation activities and risk acceptance decisions. Collaborates with the Risk Manager to identify regulatory requirements, perform regulatory compliance gap assessments, and develop processes and procedures for assessing third-party information security risk. Collaborates with Information Technology team members to assess information security risks for new technologies and services, and proposes information security controls to reduce risk. Reviews proposed changes for risks to system functionality and information security controls. Collaborates with system owners and administrators to implement common and application level information security controls. Reviews contracts for information security requirements and assesses whether requirements on both parties is appropriate.

Audit, Assessment, and Exam Coordination. Coordinates regular information security assessments by outside parties to assess the security of company's information systems including, but is not limited to, penetration testing, general controls assessments, and vulnerability assessments performed by outside parties. Receives and responds to information security questionnaires from outside parties. Performs self-assessments and leads response activities for internal and external audits and exams.

Vulnerability Management. Develops and maintains vulnerability management plans to continuously assess and remediate information system vulnerabilities, and threat management plans for the continuous identification of, and response to, internal and external threats. Performs vulnerability assessments and prioritizes vulnerability remediation activities. Collaborates with system owners to remediate vulnerabilities.

Incident Response. Develops and maintains information security incident response plans and processes. Leads information security incident response activities and exercises. Investigates and reports information security incidents.

Disaster Recovery Planning. Develops and maintains information technology disaster recovery plans and processes including identification of critical systems with recovery time objectives (RTOs) and recovery point objectives (RPOs). Performs business impact assessments to determine business impact resulting from information system outages and maximum tolerable downtimes (MTDs). Coordinates disaster recovery exercises.

Information Security Awareness. Administers an information security awareness training and assessment program, including identification of training topics, creation of training materials, and testing and assessment activities.

Continuous Learning. Participates in continuous learning activities to stay abreast of information security threats, trends, technologies, and best practices. Researches, evaluates, and recommends information and building security systems and technologies.

Performs other related duties as assigned.

**Knowledge and Skills**

Experience: Eight years of combined experience in information technology, information security, information technology audit, risk management, or similar field.

Experience assessing and reporting information security risks

Experience developing information security plans and policies

Experience working with auditors and/or examiners

Experience working with information technology practitioners to implement system controls

Financial institution experience preferred

Education: Associate degree in information technology, information security, risk management, or similar field. Bachelor's degree preferred.

CISSP, CISM, CRISC, CISA, CGEIT or similar certification preferred.

Interpersonal Skills

Work frequently involves exercising advanced conflict resolution, giving material presentations, and resolving issues impacting multiple departments or divisions. Role also requires the ability to motivate or influence others as a material part of the role, with a significant level of diplomacy and trust. Obtaining cooperation (internally and/or externally) is an important part of the role and a high level of interpersonal skills is critical to the success of this position.

Other Skills

1. Expert knowledge of information security principles, concepts, and best practices

2. Broad general knowledge of information technology including terminology

3. Strong ability to communicate effectively and build relationships

4. Strong ability to write clear and effective policies, processes, and procedures

5. Strong ability to assess and communicate risks related to information systems

6. Strong knowledge of disaster recovery concepts and practices

7. Ability to lead audit and exam response activities including evidence collection

8. Knowledge of FFIEC IT Exam Manual preferred

Physical Requirements

The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

While performing duties of this job, the employee is regularly required to sit, stand, walk and manipulate (life, carry, move) light to medium weights of 10-50 pounds. Requires good hand-eye coordination, arm, hand and finger dexterity, including ability to grasp, and visual acuity to use a keyboard, operate equipment and read technical information.

Work Environment:

Work is performed in a standard office environment with a quiet to moderate noise level. Will travel to other branches as needed. The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

*Greater Iowa is an Affirmative Action, Equal Opportunity Employer (AA/EOE). All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status.*

Location (city, state or zip code) You must select a location. Education status You must select an education stat