Information Security Officer

APGFCU - Your Community Credit Union! For over 80 years, APGFCU has shared our financial experience and provided valuable products and services to build stability and financial independence, one member at a time. We are looking for those who want to join this movement and become a part of a growing organization. We offer competitive pay and great benefits.

Summary: Reporting to the Senior Vice President, Fraud and Security, the Information Security Officer oversees the enterprise-wide APGFCU Information Security Management Program encompassing information security, regulatory compliance, data privacy, and protection of APGFCU intellectual property. Functioning independently of the Information Technology department, this position analyzes, oversees, reports and provides recommendations and counsel regarding credit union information security and vulnerability across the credit union's assets including outsourced assets. On an ongoing basis provides significant interaction with all levels of credit union leadership including Executive and Management Teams, Board Members, as well as support staff in leadership positions. Manages and provides support to the Information Security Analyst.

Essential duties and Responsibilities:

Information Security and Compliance: Oversee and recommend acceptable levels of risk for the credit union and ensure the integrity, confidentiality and availability of information owned, controlled or processed by the organization including on premise solutions, other modules and systems as implemented.

Proactively protect the integrity, confidentiality, and availability of information in the custody of or processed by APGFCU by:

• Serving as the process owner of information assurance activities related to the availability, integrity and confidentiality of member and business information in compliance with regulatory requirements and the credit union's information security policies.
• Interacting with various leaders to ensure the consistent application of policies and standards as it pertains to cyber and information security.
• Report regularly to the Executive Team and Board of Directors regarding the status of the Information Security Program and Audit at the credit union.
• Monitoring program data and access control tables and user profiles; design computer system access reports to identify possible segregation of duties, security violations, or intrusions; maintain operating system, database management system and communications system controls; adhere to application and infrastructure change, development, testing, and implementation controls.
• Ensuring the disaster recovery and business continuity processes are tested, updated, distributed as needed to protect ongoing business processes.
• Collaborating with the IT department for risk review and mitigation.
• Recommending tools to enhance APGFCU security posture.
• Providing security awareness training to employees during on-boarding.
• Conducting vulnerability assessments on a quarterly basis.
• Reviewing security documentation for new and ongoing vendors to ensure vendors have effective security controls in place.
• This position plays a key triad role with IT, Security and Compliance to ensure cross-functional collaboration results in a dynamic and robust information security protocols across the credit union.
• This position actively engages in corporate-wide strategic discussion and problem solving.

Threat Management Monitoring and Evaluation: Daily reviews of security monitoring systems, network and user activity, and emerging threats by:

• Monitoring of credit union owned security devices and security managed services to ensure appropriate review and mitigation of identified threats
• Maintaining situational awareness of all systems across the organization and its vendor ecosystem
• Maintaining an understanding of threats and threat activities
• Collecting, correlating, and analyzing security-related information
• Ensuring scheduled monitoring activities are performed daily and documented

Intellectual Property Protection: Determine which types of confidential information are required to be protected as well as establish and maintain policy and verify implementation of suitable encryption controls to protect such information.

Risk Assessments: Conduct Risk Assessments of security controls, systems, and procedures to assess their effectiveness, and working with management, identify, develop, and execute plans to maintain adequate monitoring and address information security risks.

• Perform comprehensive IT risk assessment reviews for key systems and processes.
• Conducts ongoing monitoring of Information Technology security profile and general operational controls.
• Manage and coordinate the maintenance of the Information Security Risk Assessment Framework based on IT General Controls (ITGC) best practices and Information Security Policy standards.
• Coordinate with subject matter experts and leaders to update the Information Security Risk Assessment Framework on an ongoing basis; present findings and recommendations

Policy and Procedure: Determine, develop, maintain, and publish corporate-level information security policies, standards, procedures, and guidelines, including incident response, privacy policies, disaster recovery, business continuity plans and compliance reporting procedures for general IT controls in conjunction with management and legal counsel.

Compliance and Enforcement

• Ensure compliance with operating policies and procedures and information systems are secure and safeguarded throughout the credit union and in compliance with privacy and information security regulations and laws.
• Participate in investigations of suspected information security misuse, unresolved security exposures, or noncompliance situations.
• Perform annual review and update of security policies, standards, procedures, and guidelines.

Project and Risk Governance: Through project team and committee participation promote a risk based management approach and oversight of the security and control framework through ongoing committee participation.

• Information Security Committee - Chair committee to coordinate corporate security initiatives and issues at the executive level
• Vendor Management Committee - Member of committee management triad, performs and contributes to third party data and information security risk assessments and due diligence reviews for new and existing vendors
• Risk Management Committee - Assist departments with regulatory compliance and emerging threats to ensure the security of member, employee and sensitive corporate information.

External Audits: Participate in the preparation prior to regulatory examinations and serving as an active respondent to questions, which arise during an examination.

• Facilitate required audits and examinations.
• Maintain documentation of reported issues and management remediation plans
• Review issues remediation with responsible departments.

Other Job Responsibilities Include:

• Report regularly to the Executive Team and Board of Directors regarding the status of the Information Security Program at the credit union.
• Keep up to date with developments in IT security standards and threats. Maintains a current understanding of the IT threat landscape for the industry.
• Work with department managers and senior management to identify, define and develop security implications for new business projects.
• Maintain current and be familiar with best practices in security and IT controls as published by industry- recognized organizations.
• Contribute to the annual I.T. Strategic Plan.
• Perform additional responsibilities as assigned

QUALIFICATIONS:

Education:

Bachelor Degree or Systems Management or related field is required. Experience can be credited in lieu of education. Specialized training pertaining to the systems in place and continuing education a plus.

Professional industry certifications, such as a Certified Information Security Professional CISSP, networking, operating systems, and security or other information security credentials required.

Experience: A minimum of 7-10 years of experience with a broad range of exposure to business and technical requirements, security and control frameworks, hardware and software systems analysis and internal control procedures. Experience in data administration, security methods, access controls, user roles and profiles, and database design techniques. Education may be substituted in lieu of experience.

Knowledge, Skills and Abilities:

• Ability to relate business requirements and risks to technology implementation for security and control related issues. Must be knowledgeable of risk assessment procedures; policy formation and role-based authorization methodologies; authentication technologies; and security attack pathologies.
• Strong technical analytical skills. Must demonstrate a thorough understanding of how to interpret end-user business needs; and analyzing security requirements and translating them into application and operational requirements and/or appropriate security controls. Strong oral and written communication skills: Must effectively elicit technical information from the non-technical end-user and manage end user expectations; as well as convey technical information to non-technical audiences. Proficiency in control documentation and reporting is required.
• Strong organization skills: Must have a demonstrated ability to work under stress in emergencies and to maintain flexibility to handle pressure coming from all directions simultaneously. Must be available to work after hours and on call. High proficiency with office systems: Extensive knowledge and hands-on experience of applications with personal computers; experience with productivity software, such as Windows and Microsoft Office software including Excel, etc.
• Financial Industry, systems and processes: Expert knowledge and a demonstrated understanding of the general interoperability of financial industry business systems and processes, as well as a current knowledge and general understanding of financial product/service advancement and operating trends.
• Strong management and control framework skills: Must have a strong understanding of risk management methodologies and regulatory requirements pertaining to information security, privacy and/or data security. Demonstrated project management skills including the ability to manage multiple complex priorities and competing agendas without express authority over delivery teams. Expert knowledge of laws, cyber security standards, and compliance frameworks such as FFIEC, GLBA, ISO, NIST, COBIT, SOX, HIPAA, and PCI DSS, as well as emerging privacy laws.

Physical Demands: The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions. While performing the duties of this job, the employee is regularly required to stand; walk; use hands to handle or feel objects, tools, or controls; and talk or hear. The employee frequently is required to reach with hands and arms. The employee is frequently required to type, sit, stoop, kneel, or crouch. The employee must frequently lift and/or move up to 25 pounds, and be capable of transporting related supplies and equipment. Specific vision abilities by this job include vision, distance vision, color vision, peripheral vision, depth perception and the ability to focus.

APGFCU is an Equal Opportunity/Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability to Protected Veteran status. Please use the attached link to view the EEO law poster http://www1.eeoc.gov/employers/poster.cfm

APGFCU is committed to working with and providing reasonable accommodations to persons of all abilities, including persons with disabilities. If you need a reasonable accommodation for any part of the employment process, please send to the Human Resources Department and let us know the nature of your request and your contact information. Reasonable accommodations are considered on a case-by-case basis. Please note that only inquiries concerning a request for reasonable accommodations will be responded to from this e-mail address.