Position Summary

The Information Security Governance and Risk Analyst is responsible for assessing and the [IT/Dev] department’s governance, compliance, and risk posture as they relate to its information security and information technology assets. This position provides highly skilled administrative, [security/technology/development] expertise for the development and implementation of information [technology/development] governance, risk, and compliance programs. Responsibilities require leadership and project management experience, as well as the ability to ensure effective system-wide analysis, standards, testing; risk assessment; awareness, education; and development of policies, standards, and guidelines.

Essential Job Functions:

• Recommend programmatic and technical directions and operate with a high degree of independence in matters relating to information security program governance, risk assessments, compliance activities, and decisions regarding risk, metrics, and program improvements.
• Operate with a high degree of independence with regard to project management activities, including the development of project plans
• Perform other duties as assigned to ensure the smooth functioning of the department and maintain the reputation of the organization as a viable business partner.
• Contribute to the development and implementation of the [Information Technology/Software Development] risk management function of the technology risk program to ensure information security risks are identified, managed, and monitored.
• Internally assess, evaluate, and make recommendations to management regarding the adequacy of the (security and technical) risk controls for the Bank’s information and technology systems.
• Contribute to the system-wide information security governance and compliance program, ensuring Information Technology, Development & Information Security activities, processes, and procedures meet defined requirements, policies, and regulations.
• Develop and implement effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with regulatory expectations and relevant legislation.
• Execute strategy for dealing with increasing number of audits, compliance checks and external assessment processes for internal/external auditors.
• Familiarity with Information Technology, Development, Information Security, and Industry compliance frameworks such as FFIEC, PCI DSS, NIST CSF, Center for Internet Security, Agile, etc.
• Communicates with all levels of staff including Information Technology, and Development, management and staff, developers and other technical staff, general counsel, auditors, and technology vendors and contractors,
• Work with Internal Audit, State and Federal regulators as appropriate on required technology & security assessments, audits, and examinations.
• Coordinate, track, and execute on all information technology and information security related audits and examinations including scope of audits, timelines, auditing agencies and outcomes.
• Work with auditors and regulators as appropriate to keep audit focus in scope, maintain excellent relationships with audit and regulatory entities and provide a consistent perspective on the bank’s governance, risk, and compliance efforts.
• Provide guidance, evaluation, and advocacy on audit responses.
• Must be able to assess computer hardware, software, and systems for security risks (or violations) and work with Information Technology, Information Security, consultants, and bank vendors to recommend solutions.
• Develop strategies to address awareness and training for all stakeholders Must be able to assess the status of complex multi-location projects as well as identify and implement appropriate corrective measures to resolve issues as they arise.
• Must have a strong customer service orientation and the ability to project that attitude to other teams.
• Collaborate with bank Business Continuity department on Technology & Information Security business continuity planning, disaster recovery planning, and testing.

Position Requirements:

• Bachelor’s degree in computer science, information technology, software development, or another related field
• A self-starter, able to work under general supervision. Comfortable working with inter-related infrastructure, software development, and information security risk and compliance issues
• Two to five years of [information technology/development] experience including information security technology skills and expertise
• Knowledge of information technology and/or software development risk management frameworks and compliance practices
• Knowledge of information technology, software development, and information security controls
• Ability to develop security policies, standards, and guidelines based on best practices and industry frameworks.
• Two to five years participating in information technology, software development, or information security projects.
• Excellent interpersonal, communication, and presentation skills, including formal report writing experience.
• Understanding of common security standards and regulations relating to a financial services environment such as FFIEC, PCI DSS, NIST, CSA, Center for Internet Security (CIS), MITRE ATT@CK., ISO 27000, Agile, etc.
• Two to five years participating in information technology, software development, or information security audits and examinations.
• Knowledge of financial service industry legal and regulatory requirements

Preferred:

• Familiarity with security auditing and the financial regulatory examination process (Federal Reserve Bank, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, FFIEC, etc.)
• Information security governance, risk, and/or compliance experience in financial services or federal/state/local government including documenting risk and compliance activities.
• Experience participating in information technology, software development, or information security audits and/or risk assessments.
• Experience producing key metrics, information visualization, and reports.