Information Security Officer

Information Security Officer

City First Bank N.A. is a mission-driven Community Development Financial Institution (CDFI) principally focused on a transformative impact in underserved, urban markets with the highest needs to drive equitable economic development. Our credit activities are purely commercial and focused on the following segments: Multifamily Affordable Housing, Not-for-Profit Finance, and Small Business Finance. As a depository and commercial lending provider with over $1.3 billion in bank assets as of December 31, 2024, our unified organization has over 100 employees in Washington DC and Los Angeles/Inglewood, CA.

Role Summary

The Information Security Officer is responsible for monitoring, analyzing, and maintaining the bank's technical security controls in support of City First Bank's Information Security Program. This role will be focused on maintaining the security of the bank's applications and network which includes creation and timely execution of security projects, tool installations and integrating risk-based threat intelligence into the operational environment. The role also supports the ability to maintain assurance in our technical security controls, especially on the Cloud, so that risks to the confidentiality, integrity, and availability of the bank's information systems and infrastructure are sufficiently mitigated which in turn, supports the bank's operational and compliance goals. The role will also perform triage and analysis of security events escalated from the Tier1 and Tier-2 support teams.

Essential Functions and Responsibilities

• Advanced monitoring of the day-to-day operation of Security Information and Event Management (SIEM) and Network Anomaly Detection and other security control tools.
• Act as the first point of response for security event alerts and notifications. Maintain an efficient and secure IT computing infrastructure on the bank's environment, cloud, and SaaS products.
• Provide regular security reporting and risk metrics to IT Leadership, Senior Leadership, and committees as appropriate.
• Monitor knowledge sharing services and advise leadership on cybersecurity trends, emerging threats, and regulatory guidance.
• Leads Information Security compliance tasks and coordinate and gather artifacts for internal and external audits.
• Serve as the bank's designee for regulatory and audit purposes. Align controls with guidance and recommendations.
• Work with Compliance to identify, assess, and track remediation of security risk and findings.
• Ensure compliance with GLBA, FFIEC, and other regulatory, industry, and cybersecurity standards for access control and system permissions.
• Manage identity and access, roles and permissions, assignments and changes, and all other activities to ensure adherence to policies and procedures.
• Oversee periodic User Access Reviews for key bank systems.
• Enable and oversee the process of employee user account provisioning and de-provisioning, including Active Directory and SaaS applications.
• Lead the creation, implementation and integration of identity tools and practices that enhance the organization's security and regulatory compliance.
• Conduct and maintain IT risk assessments including Information Security, GLBA, and Vendor / Third Party reviews.
• Manage vendor due diligence reviews from an information security and technology perspective.
• Develop and evaluate security procedures for IT Department.
• Develop and administer the bank's security awareness program including annual training and phishing simulations.
• Partner with IT infrastructure, application, and operations teams to ensure secure system design and configuration.
• Generate and analyze reports, monitor alerts, and review reports to monitor security activities and document findings and recommend corrective actions.
• Work with managed service providers, network administrators and security operations to resolve problems, evaluate new solutions, recommend changes, and investigate incidents.
• Collaborate with lines of business, system, and network administrators to develop and manage role-based access control groups for ensuring appropriate access to information systems, applications, and data.
• Responsible for analyzing user access roles, permissions, and profiles to establish user provisioning within all bank applications.
• Implement and upgrade network security tools running in the physical and virtual environments.
• Ensure confidential data is secure and implement controls to ensure visibility and auditability across organization for changes in roles, functions, access-levels, and data footprint.
• Other duties as assigned.

Requirements

Education & Experience

Required Education/Experience:

• Bachelor's degree in Computer Science or Information Systems, Information Technology, or related focused technical training (CISSP, CISM, CRISC, or CISA) or in lieu 4 additional years of engineering and information security experience.
• 7+ years' experience in a combination of information security, or IT operations/engineering, or IT risk management
• 4+ years' experience with designing and implementing information security technologies.
• Extensive experience in banking regulations and compliance requirements, specifically related to regulatory examinations and security requirements.
• Experience in supporting and managing audit, examination, and regulatory interactions.

Preferred Education/Experience:

• 8 years of Engineering or Security Administration in banking preferred.
• 2 years security engineering/administration in the banking/financial sector

Knowledge, Skills, and Abilities

Required Knowledge & Skills:

• Knowledge of Microsoft Azure and Microsoft O365 virtualized environment and tools is a must. Ability to configure and work on Azure Security Center and O365 Security Center.
• Knowledge of Active Directory, Azure AD, identity management, DLP policies, Azure Sentinel and other security tools essential.
• Familiarity with at least one security best practice standards such as the Center for Internet Security (CIS) Security Controls or NIST Cybersecurity Framework, or equivalent.
• Excellent knowledge of Azure Security Center and Azure portal. Knowledge of SEIM and AD tools.
• Excellent knowledge of Microsoft Operating system and Azure tools. Strong Active Directory and Windows Group Policy knowledge.
• Networking technology and protocols, including routers, switches, VPNs, Citrix, email gateways, etc.
• Requires skill in providing expert input into technology projects.
• Assist the Tier-1 and Tier-2 escalations with troubleshooting and analysis of security events.