Information Security Officer

** Information Security Officer****Job Category****:** Enterprise Risk Mgt/Compliance **Requisition Number****:** INFOR001810 Showing 1 location **Job Details****Description**POSITION SUMMARY: this position provides independent oversight of the information security posture of Macatawa to support alignment with risk appetite as well as banking and privacy / data protection requirements. The Information Security Officer will establish and maintain an Information Security framework that aligns policy, process, operations, people, and technology to protect infrastructure, data, and customer assets, and ensure compliance with applicable regulations and laws. The individual will be a member of the banks Operations and Technology Steering Committee and have key responsibilities for developing content to support committee meetings and discussion and elevating items to the committee agenda. The position will provide Macatawa with the ability to self-identify risk while supporting the information, data and technology needs of the organization.ESSENTIAL FUNCTIONS:Strategy* Ensure information security program maintains security objectives in support of the banks overall business and operations strategy, while ensuring that the company is in regulatory compliance with relevant industry and data privacy standards.* Coordinate and maintain a corporate information security program that provides assurance of the confidentiality, integrity and availability of data used to support industry and data privacy standards.Operations* Provide subject matter expertise to the development of cyber operations - Researches, evaluates and recommends new security tools, techniques, and technologies and introduces them to the enterprise in alignment with information security and technology strategic objectives.* Develops information security architecture/designs, plans, controls, processes, standards, policies, and procedures to ensure alignment with information security standards and overall information security and technology objectives.* Assesses the overall adequacy and effectiveness of information security tools used to monitor and protect financial institution data. Responsible for testing the Information Security controls to provide assurance to management and external auditors that controls are in place and functioning as intended to protect financial institution data.* Involved in a wide range of security operation functions such as incident response, tuning of SIEM tools, digital forensics, privacy incident investigations, fraud investigations for schemes perpetuated by network and computer assets, as well as technical contributions to risk assessments and data and monetary loss prevention monitoring techniques.* Responsible for the cyber and technology related Incident Response Program development, testing and overall corporate strategy. Assist with the development of processes and procedures to improve incident response times, analysis of incidents, and overall SOC functions.* With Bank Protection Manager, coordinate with local and federal law enforcement officials to aid in preventing or investigating financial crimes committed against the Company.Audit* Responsible for preparation and completion of a current internal Information security risk assessment, utilizing industry standards to assess and measure threats and vulnerabilities that may affect the financial institution while providing guidance on mitigation strategies.* Establish and maintain a risk and exception management process to ensure ongoing management and prioritization of operational, financial, reputational, and regulatory risks, including but not limited to:+ Cyber Threats Risk Assessment+ FFIEC CAT+ Red Flags+ BCP Risk Assessment+ GLBA Risk Assessment+ Record Retention+ User Access* Develop / maintain technology and information security audit and control documentation.BCP/DR* Coordinate annual Business Continuity and Disaster Recovery activities, procedures and documentation.* Partner with appropriate Line of Business personnel to develop and/or update plans related to emergency situation/disaster recovery events. Including coordination with physical security processes when appropriateThird Party* Support managements oversight of Service Providers policies and procedures designed to detect, prevent, and mitigate the risk of cyber threats in delivery of services,* 3rd Party Security Assurance and Risk Assessment - Responsible for performing third party due diligence for third parties that handle financial institution data to provide assurance that information is secure and in compliance with financial institution data standards. Work with third party function to negotiate the inclusion of security requirements into third party contract agreements.* Evaluate information security programs of external third parties who have access to, transmit or store sensitive information.* Serve as a technical escalation resource for third party service organization report review, as well as other third party information security reporting.Training & Reporting* Provides Information Security awareness training across the organization creating a calculated approach to possible data breaches and security incidents by anticipating new threats and providing awareness to actively prevent incidents from occurring.* Prepares reports of key performance data related to information security/threat levels/actions for management, oversight committees as well as the Board of Directors.* Identify and maintain Key Risk Indicators (KRIs) for various cyber threats as well as ID Theft / Red Flags, security and fraud issues, system availability/reliability, policies and controls, etc.* Works directly with auditors, examiners and third parties in regards to information security data requests and inquiries.**Qualifications****Skills****Behaviors****:****Motivations****:****Education****Experience****Licenses & Certifications**Equal Opportunity Employer/Protected Veterans/Individuals with DisabilitiesThe contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractors legal duty to furnish information. 41 CFR 60-1.35(c)