Manager, IT Security

Description

About Us:

Bank-Fund Staff Federal Credit Union (BFSFCU) is a full-service financial cooperative that was organized and chartered in 1947 as a convenient place for employees of the World Bank Group and International Monetary Fund and their families to save and to obtain credit. With over 80,000 diverse members located worldwide and around $5B in assets, we are a unique credit union that serves members from nearly every country with their financial needs. Located in Washington, DC, we offer three full-service branches in downtown as well as a full-service Lending Center near Farragut West and Farragut North metro stations. Our organization’s philosophy is based on our commitment to what we call the Service PACT. This is our commitment to each other and our members that we will put the service experience first, and focus on being Proactive, Accountable, Connected and Trustworthy (P.A.C.T.) If you believe this is a description of you, we want to learn more.

Summary:

The ITSM position has a leadership role that requires an individual with a strong technical background with focus on cybersecurity, as well as an ability to work with the IT organization and business management to align security priorities and plans with key business objectives. The ITSM must develop and execute a cyber security strategy that continuously enhances the security posture of the organization and enables continuous assessessment and mitigation of security threats. The ITSM coordinates the IT organization's technical security activities to implement and manage security infrastructure, and to provide regular status and service-level reports to management and board of directors.  The ITSM will act as an empowered representative during IT planning initiatives to ensure that security measures are incorporated into strategic IT plans.

Expertise in vendor management and leading security project teams within IT and across the organization as well as developing and managing cyber security projects is essential for success in this role. In addition to supporting the organization’s security and regulatory policies and strategies, the ITSM must be able to prioritize work efforts while balancing operational tasks with longer-term strategic security efforts.  The ITSMs is responsible for managing highly technical staff as they work to accomplish corporate and personal development goals and must, therefore, have proven leadership skills. Documentation and presentation skills, analytical and critical thinking skills, and the ability to identify needs and take initiative are key requirements of the ITSM's position.

Responsibilities:

The ITSM's job is composed of a variety of activities, including very tactical, operational and strategic activities in support of the organization’s security program initiatives, such as:

• Strategic support

• Security liaison

• Architecture/engineering support

• Operational support

Strategic Support

• Develop and execute the ongoing development and implementation of the cyber security programs and manage security projects that address identified risks and business security requirements.

• Manage the process of analyzing and assessing the current and future threat landscape, as well as providing the IT Management team with a realistic overview of risks and threats in the enterprise environment.

• Work with the Chief Information Officer to develop and manage budget projections based on short- and long-term goals and objectives.

• Monitor and report on compliance of security policies, as well as the enforcement of policies within the IT department.

• Develop security policies and manage changes to existing policies and procedures to ensure operating efficiency and regulatory compliance.

• Manage a staff of security professionals, hire and train new staff, conduct performance reviews, and provide leadership and coaching, including technical and personal development programs for team members.

Security Liaison

• Manage resource owners and IT staff in understanding and responding to security audit findings reported by auditors and examiners.

• Work as a liaison with vendors and legal to establish and manage mutually acceptable contracts and service-level agreements.

• Manage technology security production issues and incidents, and participate in problem and change management forums.

• Serve as an active and contributing participant in the Information Technology security steering committee.

• Work with the IT Management team and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security programs.

• Provide support and guidance for legal, audit and regulatory compliance efforts.

Architecture/Engineering Support

• Collaborate with IT and security staff to develop and execute a program that ensures the security controls are factored into the evaluation, selection, installation and configuration of all systems including hardware, applications and software.

• Monitor and enforce security controls that support defined security policies.

• Manages a team that serves as an active participant and security consultant for the evaluation and planning on new system technologies and/or major system releases and changes.

• Leverage industry best practices and frameworks to establish and enforce security standards across the technology landscape.  

• Develop strong working relationship with the IT team and business to develop and implement controls and configurations aligned with security policies and legal, regulatory and audit requirements.

Operational Support

• Coordinate, measure and report on the technical aspects of security management.

• Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.

• Manage and coordinate operational components of cyber security incident management, including detection, response and reporting.

• Create and maintain a knowledgebase comprising a technical reference library, security advisories and alerts, information on security trends and practices, and laws and regulations.

• Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances and exceptions, recommend treatment plans and communicate information about residual risk.

• Facilitate and regularly contact security training programs across the organization.

• Manage security projects and provide expert guidance on security matters for other IT projects.

• Assist and guide the disaster recovery planning team in the selection of recovery strategies and the development, testing and maintenance of disaster recovery plans.

• Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and are in compliance with policies and audit requirements.

• Design, coordinate and oversee security testing procedures to verify the security of systems, networks and applications, and manage the remediation of identified risks.

Additional Duties:

• Participate in annual Bank Secrecy Act (BSA) and Office of Foreign Assets Control (OFAC) training and demonstrate knowledge and understanding of the BSA and OFAC, including the immediate reporting of unusual or suspicious activity to the Risk Management Department.  Undertake additional training specific to daily responsibilities and as required to ensure continued compliance with all applicable regulations.

• Successfully participate in annual Information Security refresher training. Comply with the Information Security Policy, including the immediate reporting of unusual or suspicious activity to management and the Information Security Officer. Follow all procedures to protect company computers from viruses, and to maintain the security and confidentiality of Credit Union data. 

• Ensure the Credit Union’s safe harbor protections as allowed by the BSA.  Understand that if confronted with knowledge of existence of a Suspicious Activity Report (SAR), an obligation exists to preserve the confidentiality of that SAR, as well as any information that may reveal the existence of a SAR.  Maintain awareness of, and immediately report to the Compliance Officer, any unauthorized disclosure of a SAR, or unauthorized disclosure of information related to a SAR. Understand that failure to do so is a violation of federal law and may lead to both civil and criminal penalties for SAR disclosure violations.

• Is available at all times for contact by a mobile communication device and, as needed, provides telephone support, coordinates the response and remediation of production incidents, or reports to the Credit Union.

• Undertakes other work-related duties as assigned.

Requirements

Requirements and Qualifications:

• A minimum of eight years of IT experience, with six years in an IT security role and at least four years in a supervisory capacity.

• Strong leadership skills and the ability to work effectively in a team driven environment within IT and across the organization.

• The ability to interact and build strong relationships at all levels and across all business units and understand business imperatives.

• A strong understanding of the business impact of security threats, tools, technologies and policies.

• Strong leadership abilities, with the capability to develop and guide the IT security team members and IT staff, and work with minimal supervision.

• Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively with the IT organization, project teams, management and business stakeholders; in-depth knowledge and understanding of information risk concepts and principles as a means of relating business needs to security controls; a strong understanding of information security concepts, protocols, industry best practices and strategies.

• Experience working with legal, audit and compliance staff.

• Experience developing and maintaining policies, procedures, standards and guidelines.

• Experience with common information security management frameworks, such as International Standards Organization (ISO) 2700x, the IT Infrastructure Library (ITIL) and Control Objectives for Information and Related Technology (COBIT) frameworks.

• Familiarity with applicable legal and regulatory requirements, including, but not limited to GLBA, FFIEC, and PCI.

• Proficiency in performing risk, business impact, control and vulnerability assessments, and in defining treatment strategies.

• Knowledge of and experience in developing and documenting security architecture and plans, including strategic, tactical and project plans.

• Strong analytical skills to analyze security requirements and relate them to appropriate security controls.

• Familiarity with the principles of cryptography and cryptanalysis.

• Experience in application technology security testing (white box, black box and code review).

• Experience in system technology security testing (vulnerability scanning and penetration testing).

• Experience with security systems (firewalls, intrusion detection systems, data loss prevention, content filtering, end-point security), database technologies, architectural reviews and PCI-DSS.

• Experience with risk assessment, threat and incident management methodologies. 

• Experience with public/private/hybrid cloud-based environments.

• Experience with securing Linux, Unix and Windows servers. 

Education Requirements: 

• BS in Computer Science, Information Security, Cybersecurity, or equivalent real world experience.

• Information security industry certification (CISSP, SSCP, GIAC, GSEC, Security+, CITSM, CISA, etc.) strongly preferred

• Certifications in Microsoft, Cisco, Checkpoint, VMWare technologies preferred.