Information Security Officer

About Baker Boyer:

Baker Boyer is the oldest independently owned community bank in the Pacific Northwest. We are Eastern Washington’s trusted financial advisor, serving the Walla Walla Valley, Tri-Cities and Yakima Valley communities, providing wealth management as well as personal and business banking services.

What We Offer:

• Salary:
• Information Security Officer- $77,874- $138,810 a year.
• Great Benefits! Medical, Dental, Vision plans with additional:
• ADD & Life Insurance
• Long Term Disability
• 401(k) - 100% safe harbor match up to 6%, plus an additional 6% profit sharing contribution, resulting in employer contributions of up to 12% of annual salary.
• Paid Leave -
  • 22 days of Vacation leave and 3 R&R (Revive & Renew) day.
• 11 Paid Federal Holidays annually*
• Number of paid holidays may be fewer than 11 on years when there are Federal Holidays that are observed on Saturdays.
• Life Assistance Plan
• Free access to certified financial counselors
• Employee Wellness Program
  
• 8 hours of paid volunteer time annually



About the Information Security Officer Role:

This key leadership role operates independently within the Compliance Department, coordinating across the enterprise at the nexus of people, process, and technology in the management of organizational security risk. It facilitates high quality and value-added tasks and projects to ensure security posture and regulatory security compliance issues are managed and addressed while aligning with cost-effective management of the bank’s security risk exposure.

This position is a highly visible position, often collaborating and working with employees across the enterprise to improve bank practices, policies and workflow. Strong communication, analytical skills, prioritization and self-motivation are necessary attributes for success in this role, as is transferrable experience that demonstrates the ability to quickly learn and to implement complex concepts. Prior information technology audit or compliance; or information security experience is strongly preferred, bank/finance experience is preferred.




Key Responsibilities

• Develop and manage the overall strategic direction for enterprise Information Security.
• Manage, monitor, and report on the implementation of board-approved information security strategy, objectives, goals, and tasks intended to mitigate current and emerging risks that satisfy the requirements of Gramm-Leach-Bliley Act (GLBA) standards.
• Develop and report on key risk indicators and performance measures for enterprise, vendor, and third-party information security, such as periodic updates for enterprise risk management (ERM), Board and the Executive Committee (EC).
• Perform or oversee information security and related risk assessments.
• Maintain information security policies and procedures, ensuring they are comprehensive, complete, and current.
• Collaborate with business units to ensure information security and related risks are addressed.
• Manage information security reporting processes.
• Prepare annual information security reports for EC and the Board.
• Serve as subject matter expert in security risk management methodologies and practices, security awareness, security incident management and IT Security controls management.
• Continuously improve functions and programs that contribute to a strong security posture.
• Coordinate with management in the lines of business to understand the information flows plus associated risks and mitigations.
• Monitor emerging risks and work with 1st Line of Defense to guide implementing mitigations.
• Engage with management in the lines of business to understand new initiatives, provide information on the inherent information security risk of various activities, and outline ways to mitigate these risks.
• Support information security awareness and training for the Board and management regarding risks and the role of staff in protecting information.
• Develop and manage Third-Party Information Security Risk Management. Coordinate with the Third-Party Risk Officer to support oversight of the information security requirements of the bank’s Third-Party Risk Management Program in line with GLBA and FTC standards. Ensure appropriate oversight of Third-Party Risk Program vendor.
• Ensure independent view of information security capabilities, effectiveness, and maturity.
• Produce real time reporting processes with real time data to keep key stakeholders informed.
• Coordinate with first-line information security leaders and Information Technology (IT) department to ensure information security capabilities and internal controls are effective, current, aligned with industry requirements, and within organization risk standards.
• Ensure adequate protection of digital assets and technology solutions are in place that support enterprise strategy, daily operations, and provide security gap remediation.
• Collaborate with the IT Department to define controls that assure regulatory requirements are met—designed effectively with clear documentation of implementation and evidence-controls that are functioning as intended.
• Lead the Incident Response Team (IRT) and work with the IT Department to ensure necessary responses to address information security incidents are accomplished and documented.
• Maintain and oversee the Incident Response Plan (IRP); provide reporting, development and testing of the plan, procedures, and playbook; provide employee response exercises and training in accordance with enterprise response procedures.
• Report significant security events to EC for escalation to the Board, steering committee, government agencies and law enforcement as appropriate.
• Coordinate with the IT Department to ensure gaps in security controls are proactively identified and action plans for risk treatment are in place and tracked with accountability established.
• Ensure that the enterprise is following state and federal regulations within acceptable security risk tolerances identified by the Compliance Department and Board.
• Serve as a contributing member of the Compliance Team.
• Prepare reports for senior management, the Board, examiners, internal and external auditors.
• Assist in coordinating bank’s efforts to prepare, gather, and present information during Compliance, Information Security and Safety & Soundness exams.
• Complete assigned procedures, responsibilities, and projects, with minimal supervision. Document work performed with appropriate work papers.
• Maintain a good working knowledge of the IT/security systems and applications that impact your responsibilities.
• Attend appropriate trainings, seminars or conferences to develop professional skills (in/out of state)
• Stay abreast of role-specific enhancements in information security/cybersecurity.



Education and Experience:

• Bachelor’s degree in Information Technology/Security/Cybersecurity, Computer Science, Business Administration or relevant educational and professional experience.
• 5 or more years relevant experience.
• Relevant certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), and/or Certified Information Privacy Professional (CIPP).
• A depth of knowledge/experience on information security across a range of platforms and business units to include networking, applications, identity and access management, operating systems, cloud services, email gateway, privileged access management, vulnerability management, database security and endpoint security.
• Experience or skills in related information security frameworks (e.g. CSF, COBIT, ISO 27001/27005, OCTAVE, FAIR, NIST, RMF, PCI DSS, CSA CCM) in an operational IT/security environment.
• Experience in applying information security risk frameworks to technologies (including cloud, containers) and continuous processes (including DevOps and Agile software deployment).
• Working knowledge of relevant compliance tools (i.e. Unified Compliance Framework – UCF, Common Controls Hub – CCH)
• Demonstration of relevant skills and experience required to perform job may be considered in lieu of education or information security/auditing/compliance experience minimums.



Knowledge and Skills

• Strong written and verbal communication skills. Ability to communicate with various levels of employees in a manner that is of high quality, content, style, clarity, and timeliness both orally and in writing.
• Proactively builds and maintains positive relationships through an approachable and an open-minded outlook.
• Proactively build cross-functional relationships within and external to the enterprise; work to understand workflows, processes and the impact of changes/suggestions.
• Demonstrated ability to work independently and with limited direction; willingness to take initiative.
• Ability to organize and prioritize work; possesses strong time management skills.
• Attention to detail and accuracy with the ability to manage multiple tasks and priorities.
• Familiar with and knowledgeable of most corporate departments, systems and policies, or able to learn quickly.
• Knowledge of/or ability to easily learn banking policies, procedures and laws and regulations governing the bank.
• Ability to apply logic and reasoning when carrying out instructions furnished in written or oral form.
• Team player; willing to help as needed and keep team informed of status and needs.
• Ability to proficiently use and interpret data and processes provided by various process tools.
• Strong knowledge and ability to use Microsoft Office Suite with proficiency and accuracy.
• Experience with audit software (i.e. IBM Query, TeamMate Audit Software, comparable), preferred.
• Understanding of information security and privacy regulations and guidance found in relevant banking regulations.
• Self-motivated to pursue and progress in professional development.
• Utilizes self-training resources (i.e. books, subscriptions, periodicals, certifications, memberships in professional groups) and participates in recommended courses.



Physical demands/conditions requirement:

The job tasks and physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made as appropriate to enable individuals with qualified disabilities to perform the essential functions.




While performing the duties of this job, the employee is regularly required to sit and/or stand, write, type, speak, and listen. The employee may occasionally be required to stand, walk, reach, stoop, kneel, or crouch. The employee may occasionally lift and/or move up to 25 pounds. This position requires a person with the ability to read, write, and speak and understand English. Specific vision abilities required by this job include close vision, distance vision, color and peripheral vision, depth perception and ability to adjust focus. Ability to sit at desk and work on computer.

Nothing in this job description restricts management’s right to assign or reassign duties and responsibilities to this job at any time. Baker Boyer believes that each employee makes a significant contribution to our success. That contribution should not be limited by the assigned responsibilities. This position description is designed to outline primary duties, qualifications and job scope, but not limit our employees nor the organization to adjust the work identified. It is our expectation that each employee will offer his/her services wherever and whenever necessary to ensure the success of the company.

Baker Boyer is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, citizenship, disability or protected veteran status.




Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities

The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor’s legal duty to furnish information. 41 CFR 60-1.35(c)