Senior Information Risk Management Specialist

TITLE: SR INFORMATION RISK MANAGEMENT SPECIALIST
STATUS: EXEMPT
REPORTS TO: MANAGER - INFORMATION RISK
DEPARTMENT: RISK MANAGEMENT
JOB CODE: 11526

PAY RANGE: $98,600.00 - $138,000.00 ANNUALLY

GENERAL DESCRIPTION:

The Senior Information Risk Management Specialist is responsible for utilizing the Credit Union's Information Risk Management framework to identify, assess, measure, monitor and help mitigate the Information Risk relevant to Golden 1's people, processes, and technologies. The role works closely with leadership across the organization to evaluate current controls, policies, and procedures, identify necessary corrective actions to mitigate risk, and ensure alignment with the Credit Union's risk appetite and the Enterprise Risk Management framework.

The Senior Information Risk Management Specialist operates the Credit Union's information security education, training, and awareness (SETA) program. The Senior Information Risk Management Specialist uses extensive knowledge of information security best practices and standards to provide technical security training and education content to reduce Information Risk related to cybersecurity threats, and the tactics, techniques, and procedures used by malicious actors. This role delivers curated content about active cyber threats and exploits relevant to various business and technology functions as well as general information security awareness campaigns to all Credit Union stakeholders.

The Senior Information Risk Management Specialist will develop and deliver a variety of management reporting on Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for the Information Security Risk Management and Vendor Information Risk Management programs. This role builds and supports mechanisms to improve security culture and foster understanding of the importance of information security for the organization.

TASKS, DUTIES, FUNCTIONS:

1. Perform risk and control assessments using the Information Risk Management Framework, and analyze information (e.g., risk events, root cause analysis, audit findings, KRIs/KPIs, etc.) to identify process and control improvement opportunities, and effective mitigation strategies.
2. Collect and analyze data from Information Risk Management work products, performance metrics, and stakeholder feedback to continuously improve the program.
3. Serve as a people-centric liaison between information security and the business focused on addressing Information Risk; Assist with and support Information Technology Governance, Risk, and Compliance and Information Security team risk assessments and practices, as needed.
4. Control the quality and consistency of Information Risk work products such as policies, procedures, information reports, etc.
5. Support Issue Management processes for assessment and audit findings relevant to Information Risk, including issue entry, reporting, evidence collection and review for closure activities.
6. Work with internal stakeholders to identify information security training needs; create and select compelling and forward-thinking curriculum; and coordinate communication and delivery to employees.
7. Collect, monitor, and maintain accurate, relevant metrics to measure the efficacy of the SETA program, prepare reporting and presentations for leadership
8. Foster a culture of trust, respect, and open communication so that all employees feel welcome to ask questions, share feedback, and support the mission.
9. Propose and operate initiatives to foster a positive security culture among Golden 1 employees.
10. Provide advisory services, education and training to leaders and business units across the organization. Independently facilitate or lead stakeholder meetings and management briefings on relevant issues, risks or trends, associated with enterprise-level risks.
11. Tactfully yet assertively challenge assumptions and perspectives on risk throughout the organization. Recommend improvements to policies, procedures, and practices to mitigate Information Risk.
12. Contribute to risk committee materials, including creating and updating Risk Management reports and presentations on the evaluation of program effectiveness, level and direction of risks, key and emerging risks, and status of previously identified risk and control issues.
13. Perform other duties as required to support Enterprise Risk Management and the business, such as developing ad-hoc analysis, performing deep dive investigations, or driving specific risk initiatives.
14. Maintain a thorough understanding of state and federal laws and regulations related to the security of credit union information; maintain knowledge of current cybersecurity standards and frameworks, practices and technologies.

PHYSICAL SKILLS, ABILITIES, AND EXERTION UTILIZED IN THE PERFORMANCE OF THESE TASK:

1. Outstanding oral, written, and presentation skills required.
2. Strong interpersonal and diplomacy skills required. Must have the ability to run productive meetings and interact with various staff.
3. Excellent prioritization skills to effectively conduct and manage multiple priorities and meet deadlines as required.
4. Must possess sufficient manual dexterity to skillfully operate an on-line computer terminal and other standard office equipment, such as a personal computer, multifunction printer, and telephone.

ORGANIZATIONAL CONTACTS & RELATIONSHIPS:

1. INTERNAL: All levels of staff and management, including senior and executive-level leadership.
2. EXTERNAL: Certain vendors and contractors aiding Information Risk Management as needed.

QUALIFICATIONS:

1. EDUCATION:
   1. Bachelor's degree from an accredited college or university in communications, computer science, or related field.
2. EXPERIENCE:
   1. Five or more years of experience in managing information security awareness efforts.
   2. Experience with security awareness training platforms.
   3. Project management experience, the ability to plan, manage and maintain a complex enterprise-wide program.
3. KNOWLEDGE / SKILLS:
   1. Knowledge of different content delivery techniques to ensure end users understand and continually apply the required behavioral changes necessary to reduce the 'human element' of security risk.
   2. Knowledge of training and education principles and methods for curriculum design, teaching and instruction for individuals and groups, and the measurement of training and education effects.
   3. Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
   4. Knowledge of Risk Management processes (e.g., methods for assessing and mitigating risk).
   5. Skill in developing and executing technical training programs and curricula.

PHYSICAL REQUIREMENTS:

1. Prolonged sitting throughout the workday with occasional mobility required.
2. Corrected vision within the normal range.
3. Hearing within normal range. A device to enhance hearing will be provided if needed.
4. Occasional movements throughout the department daily to interact with staff, accomplish tasks, etc.

LICENSES / CERTIFICATIONS:

Relevant Risk Management certifications or credentials are beneficial but not required.

REV. 1/18/2024