IT Governance, Information Security, Risk Management
4 Year Degree/Bachelor Degree
The Information Security Officer (ISO) oversees and directs VACU’s Information Security Program in accordance with regulatory requirements to ensure appropriate administrative, technical and physical safeguards surrounding member and proprietary information; safeguards are designed to ensure the confidentiality, integrity, and accessibility of information. The ISO applies industry best practices and recognized security and risk frameworks to the integration of people, processes and technology to establish information security and 3rd party risk profiles consistent with management’s and the Board’s risk appetite and tolerance levels. The ISO also establishes and maintains technology governance policies and practices commensurate with the organization’s size and complexity; and manages, coaches, develops and trains Technology Governance staff.
JOB DUTIES AND RESPONSIBILITIES:
Information Security / Technology Governance:
Direct, evolve and carry out day to day administration of VACU’s information security, technology governance and IT risk management programs, ensuring conformity to NCUA / FFIEC requirements, recognized IT/information security framework(s), and industry best practices.
Establish, maintain and/or oversee development of enterprise and department level information security and technology governance policies and procedures that support and document adherence to VACU’s l Information Security Program.
Conduct periodic risk assessments to identify and assess reasonably foreseeable internal and external threats to information, operations, applications and/or members, including those likely to result in unauthorized disclosure, misuse, alteration, or destruction of Confidential or Sensitive information.
Collaborate/consult with IT and business owners to document, measure and monitor information and/or cyber security gaps/risks, and their mitigation or disposition.
Collaborate with business unit management to ensure integration of information security and technology governance requirements into VACU’s lines of business, support functions, operational processes, and vendor selection and management processes.
Prepare and/or deliver periodic written reports and presentations to management, Risk Management Committee, and/or the Board to provide updates on the status of VACU’s Information Security Program and technology risk profile, along with other relevant information requested by management or required by regulations.
Align and coordinate risk metrics, reports and analyses with VACU’s enterprise risk management program, as applicable.
Serve as coordinator of the Corporate Information Security Incident Response Team. Collaborate with IT-Cybersecurity Operations, as needed, to track, investigate, evaluate, respond to and report on Information Security Incidents or Events (as defined by policy).
Oversee development and delivery of training and other content to promote employee awareness of and compliance with information security policies, procedures and standards.
Serve as “second line of defense” and a liaison between IT operational management and auditors/examiners to identify and advocate for appropriate mitigation of information security and technology risks.
Guide and support IT on creation and maintenance of IT departmental policies and procedures consistent with established framework(s).
Establish and/or carry out appropriate governance activities and/or controls to monitor and report on adherence to policies and procedures in areas including:
IT asset lifecycle management
User access controls
Technology/disaster recovery exercises
Serve as point of contact for IT audits/exams and coordinate: fulfillment of request lists; review/vetting audit findings; collaborations with Governance and IT management to craft audit responses; and tracking of remediation activities.
Oversee VACU’s Vendor Management Program and processes surrounding selecting, vetting, assessing and monitoring 3rd party relationships to ensure alignment with VACU’s risk appetite and policies, and compliance with legal and regulatory requirements.
Collaborate with Governance & Risk colleagues, as needed, to support and/or advise on technical aspects of Information Management and BC/DR programs and processes.
General Management / Other
Supervise and direct the Technology Governance Team; establish and communicate appropriate goals and objectives that support VACU’s mission, vision and strategies.
Provide frequent, constructive feedback on performance; encourage and support employee development and growth
Maximize efficiency and effectiveness of people and processes; proactively assess policies, procedures, resources and tools, and recommend improvements as appropriate
Keep management apprised of the activities of the Technology Governance team
Keep abreast of changing laws, regulations, best practices, threats, tools and trends impacting areas of responsibility.
Perform other projects and/or duties as assigned by management.
Consistently provide quality service to members (internal or external) and co-workers.
Comply with all published enterprise level policies and procedures including, but not limited to, Risk Management policies.
Complete all required, ongoing enterprise level training including, but not limited to BSA, OFAC, and Information Security.
Report all Risk Management Policy violations in accordance with policy.
Knowledge and Experience:
Five to seven years of direct management experience, preferably in a technology governance or information security related role; may substitute indirect management experience through matrixed teams and/or project leadership for a portion of direct management experience.
Demonstrated hands-on experience creating and/or administering a comprehensive information security and IT governance/risk management program in accordance with regulatory requirements, preferably for a federally insured financial institution.
Demonstrated hands-on experience creating and implementing written policies in support of information security / IT governance program.
Demonstrated hands-on experience required in a demanding, compliance-oriented service function, including direct interaction with managerial, professional and technical staff.
Extensive knowledge of and demonstrated experience interpreting and applying one or more recognized technology-related compliance and/or risk management regulations and frameworks (i.e. GLBA, NCUA Part 748, NCUA ACET, FFIEC IT Handbook, CIS Critical Security Controls, ISO, NIST, ITIL)
Strong working knowledge of concepts and best practices surrounding information, application and network security; 3rd party risk; vulnerability management; asset lifecycle management; and Active Directory.
Skills and Abilities:
Advanced computer skills, including excellent proficiency with Microsoft applications Word, Excel, Outlook, SharePoint and PowerPoint required; Visio and scripting or database management skills are a plus.
Demonstrated ability and willingness to mentor, train and develop staff to reach their full potential.
Excellent written and verbal communication and presentation skills; able to interact confidently, tactfully and professionally with senior management.
Exceptional interpersonal and collaboration skills with ability to positively influence outcomes, and maintain professional demeanor in difficult situations.
Ability to gather, analyze, organize and evaluate diverse sets of data and facts in a meaningful, systematic manner, using outputs to make logical, well thought out decisions.
Self motivated and able to work both independently and collaboratively, to meet deadlines and achieve positive results in a team environment.
Proactive, flexible and resourceful in engaging across business units to set priorities, address challenges, and create workable solutions.
Commitment to quality service, and ability to build strong relationships based on mutual trust.
Basic familiarity with project management fundamentals is a plus.
Bachelor’s degree required, preferably with a concentration in information technology or risk management; technical training or certifications may be considered in lieu of college degree.
Advanced degree, training or course work in computer operations, operations management and/or risk management is a plus.
This job requires the ability to sit for long periods of time.
This job requires occasional lifting or carrying of objects up to 20 pounds.
About Virginia Credit Union
We’re proud of the opportunities, training, benefits and work-life balance we provide to those who help people take their money further, and reach their goals sooner. We strive to provide a culture where employee development, teamwork, integrity, respect and quality of life are the cornerstones of delivering superior member experience. We thank our employees for making us a part of our community’s "Top Workplaces" and are always looking to add people to our team who share our passion for helping members build their finances and confidence. In return, we offer employees a challenging and rewarding work environment and are committed to maintaining an atmosphere that promotes teamwork and continual improvement. Virginia Credit Union is an Equal Opportunity Employer.