IT Security

Summary 

IT Security and Risk Manager works in the Information Technology Department and is primarily responsible for working with IT, business units, users, and vendors to ensure the confidentiality, integrity, and availability of data, systems, information, and associated assets according to the GLBA, FFIEC Handbook, and industry accepted information security and data standards. 

Responsibilities 

• Perform risk assessments and impact analyses to identify vulnerable areas within the company's security program. The risk assessment process includes identifying threats and risks, identifying technical, logical, and operational controls that are in place to mitigate the threats, and analyzing and reporting the observations found during the risk assessment process. 
• Manage the vulnerability assessment software including defining asset groups, determining software parameters, and assigning scan profiles.  Will also oversee the handling of vulnerability issues including the evaluation of vulnerability exceptions.  Will keep management apprised of vulnerabilities and risks.
• Will monitor the handling of firewall/IDS/IPS/malware incidents to ensure issues are investigated and solved appropriately.  Could include investigating incidents directly. Will keep management apprised of results.
• Will develop incident procedures and oversee the investigation and reporting of security incidents including phishing, smishing, virus, dos, and privacy breaches.  Will keep management apprised of incidents.
• Will be responsible for executing the Company's incident response plan.
• Will identify information security monitoring standards and define the correlating rules required from Security Information and Event Management (SIEM) solution.  Responsibility could also include the writing and managing of the SIEM solution.
• Coordinate all security reviews and tests including, but not limited to, firewall rule review, social engineering tests, penetration tests, and vulnerability assessments.
• Coordinate the Company's disaster recovery and business continuity program.  This includes maintaining the plans, coordinating the BIA, facilitating recovery testing, assessing vendor's resiliency, and preparing corporate awareness.
• Manage the enterprise vendor management program.  This includes coordinating the vendor due diligence, the vendor oversight, perform vendor security reviews, and managing vendor contracts.
• Will assist in defining security controls and security baselines for systems being implemented.
• Inform and train staff members, both inside and outside the IT department, on their responsibilities concerning IT security as it relates to Company systems.
• Assess need for security reconfigurations (minor or significant) and either execute them or coordinate the execution of them.
• Assist in internal audit or external audits as necessary. This may include responding to audit requests, preparing audit documentation, or acting as liaison between IT and the audit entity.
• Participate in the IT budget and expense management process. This may include the preparing of cost analyses for IT purchases, investigating IT expenses, identifying possible cost saving opportunities, and assist in all or part of the IT budgeting process.
• Develop security procedures as necessary.
• Remain informed on trends and issues in the security industry, including current and emerging technologies.  Keep team managers apprised of findings.
• Be highly knowledgeable of the Organization's overall security policies, and recommend changes and enhancement
• Keep current with emerging security standards, alerts and issues. (FFIEC Security Handbook, ISO, etc)
• Protect all client and