Job Details Description Information Security Officer (ISO) Department: Risk Management Reports To: Director ERM Each employee, including the ISO, is responsible and accountable for demonstrating a commitment to the company?s mission statement including understanding that all divisions of Salem Five Cents Savings Bank work together for one common purpose which is to delight our customers with the exceptional ease of banking at Salem Five. The ISO must embrace new and emerging technologies to support operations through flexibility, the ability to learn, and adaptability to change. The responsibilities described herein are commensurate with the current size and complexity of the financial institution; as the institution increases in size and complexity, other duties may be assigned. ESSENTIAL DUTIES AND RESPONSIBILITIES include the following. Other duties may be assigned. The ISO is responsible for the governance and management of information and technology risks across the enterprise. The ISO is responsible for the establishment and oversight of information technology policies to protect the organization and its data. The ISO will work with other functions [e.g., Compliance, Digital Delivery, Enterprise Risk Management (ERM), Fraud, I.S., Legal, Operations, Security] to proactively identify, assess, mitigate, monitor, and report on technology risks. The ISO will play a critical role in supporting senior management in ensuring that a cohesive structure and process exists to manage the variety of technology and data security risk impacts that face the organization. The ISO, who reports to the Director of ERM and is independent of IT Operations, is responsible and accountable for: Implementing the information security strategy and objectives, as approved by the Board of Directors, including strategies to monitor and address current and emerging risks and working with the Director ERM to ensure the ISP effectively aligns with the ERM strategic visions and provided the desired level of governance and reporting. Establishing, maintaining, and overseeing the financial institution?s Information Security Program (ISP) in accordance with legal requirements and industry standards (e.g., FFIEC, NIST, CIS) including establishing and implementing a framework for standards and practices relative to enterprise-wide information and technology risk management; developing, maintaining, and overseeing information security policies to address all applicable requirements; and ensuring effective oversight of risk mitigation activities that support the ISP. Engaging with management in the lines of business to understand new initiatives, providing information on the inherent information security risk of these activities, and outlining ways to mitigate the risks. Working with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information. Monitoring emerging risks and implementing mitigations including analyzing current operations and participating in application development and infrastructure projects to ensure that data security requirements are identified/understood/satisfied, coordinating information security relevant risk assessments (e.g., business continuity, cybersecurity, data privacy, multi-factor authentication) to ensure security risks are accurately identified/measured/monitored/mitigated/reported, and providing guidance on aligning risk appetite and strategy, as well as, enhancing risk response decisions (risk avoidance, reduction, sharing, and acceptance). Informing the board, management, and staff of information security and cybersecurity risks and the role of staff in protecting information. Reporting progress of the overall status of the ISP and compliance with guidelines to the Information Security Committee (ISC), the ERM Committee, and the Board of Directors. Reporting significant security events to these same groups as well as government agencies, and law enforcement, as appropriate. Championing enterprise-wide security awareness and training programs. This includes obtaining and maintaining necessary training to keep current on information security risks. Participating in industry collaborative efforts to monitor, share, and discuss emerging security threats. Managing and assisting in performing ongoing security monitoring of information systems including assessing information security risk through qualitative risk analysis on a regular basis to ensure appropriate administrative, physical and technical safeguards are in place to protect the Bank's information assets from internal and external threats and compliance with legal/regulatory requirements and internal policies/procedures/guidelines; conducting functional and gap analyses; evaluating and recommending new information security technologies and countermeasures against threats to information or privacy to the appropriate business unit managers; and developing security reports and dashboards. Leading the team that performs ISP risk assessments, user access rights recertification activities, and defines data classification standards to safeguard information assets and technologies. Providing for independent review and oversight of the following technology areas: design and operating effectiveness of technology control environment; firewalls, IDS/IPS, and centralized logging solutions; change management process; data classification; exception approval and tracking; key technology operating metrics; and policy implementation and adherence. Acting as Chair and Secretary of the Information Security Committee (ISC). Establishing, maintaining, and overseeing the enterprise-wide Breach Response Program. In coordination with the CIO, responsible for managing and mobilizing the Incident Response Team to respond security events to protect the institution and its customers; managing the negative effects on the confidentiality, integrity, availability, or value of information; minimizing the disruption or degradation of critical services; investigating security breaches including root cause analysis; and ensuring compliance with applicable reporting directives. Establishing, maintaining, and overseeing the enterprise-wide Business Continuity Program (e.g., risk assessment, business impact analysis, testing). Providing information security leadership regarding ISP-relevant enterprise-wide programs (e.g., records management, vendor management). Keeping abreast of federal and state legislative, regulatory and judicial changes, as well as industry trends related to information security. Ensuring compliance with laws and regulations as defined in company policies and procedures pertinent to position, including but not limited to GLBA, FFIEC, NIST, and CIS guidance. Serving as liaison to auditors and examiners for requests and inquiries related to the ISP aspects of regulatory examinations, external audits, and internal audits. Monitor the status of corrective actions on findings noted. Additional essential duties and responsibilities include establishing and implementing ISP-related initiatives that effectively support the Bank?s strategic vision; actively participating in meetings by contributing to discussions which support organizational strategy; and attending corporate, employee, and community events as required. Regular attendance is essential to this position. Assumes additional responsibilities as requested. NON-ESSENTIAL DUTIES None SUPERVISORY RESPONSIBILITIES As the financial institution increases in size and complexity, the ISO will have direct supervisory responsibilities for management of employees within the Enterprise Risk Management?s information security function. Is responsible for the overall direction, coordination, and evaluation of this unit. Carries out supervisory responsibilities in accordance with the organization's policies and applicable laws. Responsibilities include leading, managing, training, coaching, and developing employees; planning, assigning, and directing work; appraising performance; identifying, addressing, and resolving issues in accordance with the company's policies and practices. QUALIFICATIONS To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions. Must be able to travel as needed. EDUCATION and/or EXPERIENCE A Bachelor?s degree and work experience in IT or information security or equivalent banking technical information security knowledge (e.g., IT audit) is required. Minimum of ten years of varied banking experience within a combination of at least two of the following disciplines: risk management, audit/examination, information security/technology, and operations. Experience in a banking/financial services regulated environment strongly preferred. Should be comfortable interacting with all levels of bank management, regulatory examiners and external auditors. Ideally, demonstrated understanding of security requirements for Data Privacy Laws (e.g., GLBA, MA law, EUGDPR), FFIEC Guidelines, NIST framework, CIS standards, and PCI. Ideally, experience with a hybrid of cloud and on-premise based systems. CERTIFICATES, LICENSES, REGISTRATIONS Maintaining one of the following designations is desirable, but not required: CISSP, CISM, or CISA. COMPUTER SKILLS Demonstrated proficiency and ability to effectively utilize information security tools, cybersecurity tools, and Microsoft applications (Word, Excel, Access, Outlook, PowerPoint) tools. Ability to effectively utilize electronic banking applications. Ability to learn and effectively utilize query and Governance/Risk/Compliance (?GRC?) tools. LANGUAGE SKILLS Ability to read, analyze, and interpret general business and technical periodicals, professional and technical journals, technical procedures, financial reports, legal documents, SSAE16 or SSAE18 or equivalent reports, or governmental regulations. Ability to write policies, procedures, minutes, reports, and business correspondence. Ability to communicate clearly and concisely with all levels of staff, executive management, management, Board, bank regulators, public groups, customers, and other external parties both in oral and written formats. Ability to effectively present information and respond to questions from these same groups. MATHEMATICAL SKILLS Ability to calculate figures and amounts such as discounts, interest, commissions, proportions, percentages, area, circumference, and volume. Ability to apply concepts of basic algebra. Ability to work with mathematical concepts such as probability and statistical inference, and fundamentals of plane and solid geometry. Ability to apply these concepts to practical situations. REASONING ABILITY Ability to define problems, collect data, establish facts, and draw valid conclusions. Ability to interpret an extensive variety of technical instructions in mathematical or diagram form and deal with several abstract and concrete variables. OTHER SKILLS AND ABILITIES Ability to successfully work on a variety of cybersecurity, information security, business, risk, and regulatory issues of a time-sensitive and confidential nature. Ability to assess risk from a macro level perspective, including having a solid understanding of the relationship between technology and operations. Advanced knowledge and experience of cybersecurity risk management, key information data security risk exposures, and FFIEC regulatory requirements. PHYSICAL DEMANDS The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform essential functions. While performing the duties of this job, the employee is frequently required to sit. While performing the duties of this job, the employee is regularly required to stand; walk; use hands to finger, handle, or feel; reach with hands and arms; stoop, kneel, crouch, or crawl; and talk or hear. The employee is regularly required to sit and perform data entry. The employee is regularly required to bend, climb, and balance. The employee must occasionally lift and/or move objects up to 45 pounds; the employee must exert up to 50 pounds of force occasionally and/or up to 25 pounds of force constantly to move objects. Specific vision abilities required by this job include close vision. WORK ENVIRONMENT The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions. The noise level in the work environment is usually moderate. Flexible hours, including some evenings and weekends, as the job demands require. The noise level in the work environment is usually moderate. COMPETENCIES To perform the job successfully, an individual should demonstrate the following competencies: Adaptability - Adapts to changes in the work environment; manages competing demands; changes approach or method to best fit the situation; able to deal with frequent change, delays, or unexpected events. Analytical - Has the ability to organize data, both financial and systemic (technical) information, and to make assessments that will be used to optimize systems or financial performance. Synthesizes complex or diverse information; collects and researches data; uses institution and experience to complement data; designs work flows and procedures. Business Acumen - Understands basics of the business and related implications of decisions; displays orientation to profitability; demonstrates knowledge of competition; aligns work with strategic goals. Cost Consciousness - Works within approved budget; conserves organizational resources. Dependability - Follows instructions, responds to management direction; takes responsibility for own actions; keeps commitments; commits to long hours of work when necessary to reach goals; completes tasks on time or notifies appropriate person with an alternate plan. Design - Generates creative solutions; demonstrates attention to detail. Ethics - Treats people with respect; works with integrity & ethics; inspires trust of others; upholds organizational values. Initiative - Volunteers readily; undertakes self-development activities; seeks increased responsibilities; takes independent actions and calculated risks; looks for and takes advantage of opportunities; asks for and offers help when needed. Interpersonal Skills - A strong collaborator with customers and co-workers; focuses on responding to customer inquiries; maintains confidentiality; keeps emotions under control; remains open to others' ideas and tries new things; provides for constructive and diplomatic conflict resolution. Judgment - Displays willingness to make decisions; exhibits sound and accurate judgment; supports and explains reasoning for decisions; includes appropriate people in decision-making process; makes timely decisions. Oral & Written Communication - Speaks clearly and persuasively in positive or negative situations; listens and gets clarification; responds well to questions; demonstrates group presentation skills; participates in meetings; writes clearly and informatively; varies writing style to meet needs; presents numerical and technical data effectively; able to understand and interpret written information; maintain effective channels of communication. Organizational Support - Follows policies and procedures; completes administrative tasks correctly and on time; self-motivated; supports organization's goals and core values; benefits organization through outside activities; supports affirmative action and respects diversity. Planning/Organizing - Prioritizes and plans work activities; uses time efficiently; plans for additional resources; sets goals and objectives; organizes or schedules other people and their tasks; develops realistic action plans. Professionalism - Approaches others in a tactful manner; reacts well under pressure; treats others with respect and consideration regardless of their status or position; accepts responsibility for own actions; follows through on commitments; maintains positive working relationships. Problem Solving - Identifies and resolves problems in a timely manner; gathers and analyzes information skillfully; develops alternative solutions; works well in group problem solving situations; uses reason even when dealing with emotional topics. Project Management - Develops project plans; Coordinates projects; Communicates changes and progress; Completes projects on time and budget; Manages project team activities. Quality Management - Looks for ways to improve and promote quality; demonstrates accuracy and thoroughness; applies feedback to improve performance; monitors own work to ensure quality. Strategic Thinking - Understands and implements strategies to achieve organizational goals; understands organization's strengths & weaknesses; analyzes organization?s risk profile and impact to organizational goals/strategic initiatives; Identifies external threats and opportunities; adapts strategy to changing conditions. Teamwork - Balances team and individual responsibilities; exhibits objectivity and openness to others' views; gives and welcomes feedback; builds positive team spirit; builds morale and group commitments to goals and objectives. Technical Skills - Assesses own strengths and weaknesses; pursues training and development opportunities; strives to continuously build knowledge and skills; shares expertise with others. With a rich history and a strong reputation for growth, service and innovation, Salem Five offers employees a sense of stability and pride. Salem Five also offers a comprehensive salary and benefit package including health insurance and matching 401k plan. Qualified candidates may submit a resume and application online at salemfive.com/careers or mail your resume to Human Resources, 210 Essex Street, Salem, MA 01970. Associated topics: alarm, casino, explosive detection, loss control, loss prevention, patrol officer, safety officer, safety report, security officer, tsa
* The salary listed in the header is an estimate based on salary data for similar jobs in the same area. Salary or compensation data found in the job description is accurate.