Responsible for managing a variety of risk elements and controls in a technical environment. Evaluates technical and procedural risks and provides recommendations on changes. Serves as primary liaison with Risk Management and Audit departments regarding control development, testing and possible remediation. Provides input to IT audit responses and ensures potential findings are remediated per commitments. Recommends changes to controls and consults within IT and across the enterprise to enhance security posture and reduce technical risks, utilizing appropriate technical security frameworks (e.g., NIST, ISO) and CIS Controls.
Develops, documents and maintains written procedures. Leads vulnerability management program for IT department and tracks remediation process. Reviews vendor technical environments for potential risks, documents findings and identifies practical risk reduction strategies. Performs a variety of risk assessments. Assists with potential remediation of technical vulnerabilities, investigating exposure and tracking progress, both internally and with vendors. Monitors patching program for applications, operating systems and appliances. Prioritizes multiple threat indicators to assess most urgent first. Responds appropriately to incidents and assist with root cause analysis. Makes independent decisions on matters of varying complexity, utilizing knowledge of security best practices, frameworks and good judgment. Gathers input from management on complex situations. Required to exercise appropriate discretion on confidential matters.
This position is on-site 5 days/week
Essential Duties & Responsibilities
Assess potential security threats. Understand security implications of technical threats and steps needed to bolster environment. Provide a timely response to potential security incidents utilizing playbooks where appropriate. Analyze threats identified from incidents for potential additional threat indicators and intelligence.
Identify technical risks and lead IT risk assessments. Remain current with industry threats, understanding and implementing mitigation strategies. Work with multiple IT teams and business process owners to ensure remediation occurs in a timely manner.
Mange vulnerability management program. Maintain scanning application and scanning frequency, providing results of findings to IT asset owners. Consult with asset owners on root cause of findings and identification of any false positives. Track remediation activities to ensure highest priority findings are addressed in a timely manner.
Maintain knowledge of IT frameworks and lead implementation of appropriate processes. Track IT Security strategic goals and progress; recommend adjustments based on industry best practices.
Serve as primary liaison with Audit and Risk Management departments, providing control evidence and resolving findings. Evaluate compliance with and recommend changes to SOX controls.
Coordinate the development, implementation and maintenance of information security policies, standards and guidelines.
Maintain a working knowledge of IT network topologies and major systems.
Perform other duties as assigned.
Participate in proactive team efforts to achieve departmental and company goals.
Must comply with current applicable laws, regulations and bank policies and procedures. Comply with all safety policies, practices and procedures. Report all unsafe activities to supervisor and/or Human Resources.
Experience
Ten to fifteen years of similar or related experience including broad technical experience with an understanding of applications, networking, databases, security, system dependencies, etc.
Seven to nine years in or working with a technical control function such as IT Risk or related field.
Education/Certifications/Licenses
Bachelor's degree, Information Systems, Computer Science, Information Security or related field required. CISSP, CRISC or other relevant certification required.
Skills
Ability to quickly understand details where needed. Strong personal leadership, communication, organization, interpersonal, and analytical/problem solving skills with regards to technology and complex environments. Strong process orientation and personal computer skills, especially in evaluating financial & technical information. Familiarity with IT governance frameworks such as FFIEC, NIST and ISO. Able to handle multiple projects simultaneously, learn new areas quickly, take ownership of issues/projects, develop and implement recommendations. Excellent verbal and written communications skills. Ability to work closely with staff and multiple levels of management. Prior experience working with regulatory agencies including OCC and/or FDIC preferred.
A significant level of trust, credibility and diplomacy is required. In-depth dialogues, conversations and explanations with customers, direct and indirect reports and outside vendors can be of a sensitive and/or highly confidential nature. Communications may involve motivating, influencing, educating and/or advising others on matters of significance.
CapFed® is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees.
