Information Security Officer – Major Financial Services Client – NYC New York

Primary Responsibilities Will Include:

Governance: Ensuring all of the ISMS initiatives run smoothly and obtain the funding they need, and that corporate leadership understands their importance.

• Identify information security polices, standards, procedures, guidelines and processes
• Define a formal process for creating, documenting, reviewing, updating, and implementing security policies
• Train Clientpersonnel on the organization’s ISMS program and process
• Liaison with Regulators and Key Stakeholders
• Provide support to information owners/information system owners and common control providers on how to implement ISMS for their information systems
• Disseminate information security policies, procedures and guideline to all concerned
• Enforce implementation of approved information security policies, and all ISMS documents
• Integrate information security procedures with organization's business process
• Ensure compliance with legal and regulatory requirements for information security
• Obtain senior management approval of information security audit report
• Lead information security incidents
• Prepare evidence for legal action following an information security incident
• Seek management’s validation/approval for the policies to implement
• Coordinate the business impact analysis process and the creation of response plans (such as BCP and SIRP

Security Operations:

• Real-time analysis of immediate threats, and triage when something goes wrong

Cyber Risk and Cyber intelligence:

• Keep abreast of developing security threats, and help the board understand potential security problems that might arise from acquisitions or other big business moves
• Assist in developing, maintaining, reviewing and improving strategic organization-wide information security and risk management plan
• Ensure that information security considerations are integrated with IT system planning, development / acquisition life cycle
• Perform risk assessment steps, including assure at all times an accurate asset inventory (with the scope of information security), assure that vulnerability analysis is performed, assure that impact analysis is performed and evaluate level of risk
• Integrate information security procedures with organization's business processes
• Evaluate and review on regular basis the effectiveness of information security policies
• Alert and notify with respect to new vulnerabilities / threats to all concerned
• Coordinate and lead the design and implementation of Business Continuity program
• Periodically conduct mock tests or partial tests to evaluate effectiveness of business continuity plan
• Periodically evaluate and review effectiveness of Information Security Management System through internal/external audits and tests

Data Loss and Fraud Prevention:

• Responsible for Incident response program
• Ensuring internal staff doesn't misuse or steal data
• Maintain a record of information security incidents and breaches
• Take remedial action to reduce / diminish the impact of information security incidents and breaches

Security Architecture:

• Planning, buying, and rolling out security hardware and software, and making sure IT and network infrastructure is designed with best security practices in mind
• Define together with the Data Protection Officer (DPO) a policy for classification of information and information assets
• Implement automated and continuous monitoring of security incidents
• Ensure that information security considerations are integrated with IT system planning, development / acquisition life cycle
• Ensure that all storage media (including laptops and smart phones), when no longer required, are disposed securely and safely as per laid down procedures
• Ensure that all information systems within the organization are adequately patched and updated

Identity and access management: Ensuring that only authorized people have access to restricted data and systems.

• Ensure compliance of Gen II’s information security by contractors/suppliers/service providers
• Collaborate with HR on employee code of conduct and employee’s non-conformity to IT security rules
• Perform together with HR background verification checks of job candidates

Program management:

• Keeping ahead of security needs by implementing programs or projects that mitigate risks
• Notify top management about the main risks and report to local Risk Officer
• Lead the risk treatment plan
• Share management approval report on information security and breaches
• Design ISMS policies, consulting CTO, DPO, system engineers, legal advisors and other experts bringing added value in the design
• Coordinate the business impact analysis process and the creation of response plans (such as BCP and SIRP)
• Perform risk treatment steps such as: Identify appropriate controls for treatment of risk, take approval from senior management for implementation of identified security controls, oversee implementation of information security controls; evaluate residual risk, take approval from senior management for residual risk, take advice from risk officer
• Ensure that all information systems within the organization are adequately patched and updated

Investigations and Forensics:

• Determining what went wrong in a breach, dealing with those responsible if they're internal, and planning to avoid repeats of the same crisis
• Prepare evidence for legal action following an information security incident

Job Requirements, Skills, Education and Experience:

• Degree in business administration or a technology-related field required
• Professional security management certification
• Minimum of 8 to 12 years of experience in a combination of risk management, information security and IT positions
• Knowledge of common information security management frameworks, such as ISO/IEC 27001, and NIST
• Excellent written and verbal communication skills and high level of personal integrity
• Innovative thinking and leadership with an ability to lead and motivate cross-functional, interdisciplinary teams
• Experience with contract and vendor negotiations and management including managed services
• Specific experience in Agile (scaled) software development or other best in class development practices
• Experience with Cloud computing/Elastic computing across virtualized environments