Information Security Manager
Description:
Job Details
Natick, MA
Full Time
$85106.00 - $137807.00 Salary
Any
Information Technology
Description
Position Description
Title: Information Security Manager
Department: Risk Management
Reports to: FVP, Chief Risk Officer
Supervises: None
Classification: Exempt
Date Prepared: April 2025
Summary / Objective
The Information Security Officer is responsible for developing, implementing, and maintaining the organization’s information security program in compliance with the FFIEC IT Examination Handbook and other regulatory requirements. The ISO ensures the protection of sensitive data, manages cyber risks, and works closely with management, IT, risk, and compliance teams to enforce security policies, controls, and best practices.
Experience & Education Requirements:
Bachelor’s degree in Computer Science, Information Security, Cybersecurity, or a related field or equivalent experience.
Industry-recognized certifications such as CISSP, CISM, CISA, CRISC, or GIAC preferred
5+ years of experience in information security, cybersecurity, or IT risk management, preferably within a financial institution.
Strong understanding of FFIEC guidelines, Information Security frameworks, PCI-DSS, GLBA, and banking regulations.
Experience with security architecture, incident response, SIEM tools, and identity & access management (IAM).
Familiarity with cloud security, digital banking risks, and payment systems security.
Job Requirements:
Strong risk management skills and mindset.
Extensive knowledge of cyber security concepts, principles, methods, and products.
General knowledge of financial and banking technology including core banking software, loan origination platforms, online and mobile banking platforms, general ledger software, ATM technology, etc., preferred.
Proficiency in interpreting and analyzing impact of federal and state regulations, with proficiency in banking regulations required, preferred.
Experience performing compliance reviews/audits for a financial institution, preferred.
Experience in developing and delivering Information/Cyber Security or other technical training.
Ability to communicate complex technical topics to non-technical audience.
Ability to keep pace with the rapidly evolving threat landscape.
Proficient in Microsoft Office Suite products.
Qualifications
Specific Job Functions:
Governance and Security Program Management
Maintain an enterprise-wide information security program in alignment with FFIEC guidelines and industry best practices.
Establish and enforce security policies, standards, and procedures to protect the institution’s assets, including customer and financial data.
Report security risks and incidents to senior management and the Board of Directors.
Ensure compliance with regulatory requirements such as GLBA, BSA/AML, PCI-DSS, and other applicable laws.
Serve as back up for the risk assessment process, evaluating threats and vulnerabilities to information assets.
Risk Management and Compliance
Oversee the implementation of technical and administrative security controls to mitigate risks.
Monitor compliance with security policies and procedures through audits, reviews, and gap analyses.
Ensure the organization follows an established industry framework (e.g., NIST, CIS).
Serve as back up for information security risk assessments.
Work with IT in ongoing IAM updates and review and monitor IAM reports
Incident Response and Business Continuity
Develop and maintain the Incident Response Plan (IRP) and coordinate responses to cyber threats, security breaches, and fraud attempts. Complete annual tests and exercises.
Establish and test the Business Continuity Plan (BCP) in coordination with IT and Risk Management and individual business units. Complete annual tests and exercises.
Serve as the primary point of contact for information security incidents, ensuring appropriate reporting, remediation, and maintaining documentation.
Cybersecurity Monitoring and Threat Intelligence
Work with IT to oversee real-time security monitoring, including Security Information and Event Management (SIEM) solutions, to detect and respond to threats.
Perform reviews of daily, weekly, and monthly Information Security reports.
Collaborate with third-party security providers and government agencies (e.g., FS-ISAC, CISA, FBI) for threat intelligence sharing.
Oversee regular penetration testing and vulnerability assessments to proactively identify weaknesses.
Employee Training and Awareness
Design and lead security awareness training programs for employees, ensuring a strong culture of cybersecurity.
Conduct phishing simulations, tabletop exercises, and cybersecurity drills to enhance employee readiness.
Reporting and Communication
Prepare and present security reports, risk assessments, and incident updates to executive management.
Communicate regulatory updates, cyber risks, and compliance matters to stakeholders in a clear and concise manner.
Privacy
Establish and maintain policies, procedures, standards, and guidelines for the Bank’s Privacy Program.
Responsible for updating Privacy Policy and notices, as necessary.
General
Assist internal, external, and regulatory auditors with the collection of requested materials, as assigned with their respective engagements.
Provide regular reporting to bank management for the Information Security Program and all GLBA compliance.
Ensures that areas of direct responsibilities operate within guidelines set for State and Federal laws.
Participates in user groups for third-party services providers, industry trade groups and educational programs to remain abreast of current issues and requirements that impact the Bank.
Ensure compliance with BSA regulations as appropriate to the position
In the performance of respective tasks and duties, the employee is expected to maintain knowledge of and ensure compliance with Bank Secrecy Act regulations and adheres to compliance procedures and internal/operational risk controls in accordance with all applicable regulatory standards, requirements and policies as well as attending all required training sessions and completing all required on-line training courses.
Reasonable accommodation may be made to enable individuals with disabilities to perform the essential functions.
Other Duties
This job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. It is expected that from time-to-time other duties, both related and unrelated to the above, may be assigned and therefore, required.