Information Security Governance Lead

Position Summary

The Information Security Governance Lead supports the Credit Union by identifying, assessing, driving, and tracking the mitigation of information security risk across systems, applications, data, and third-party relationships. This role partners closely with Information Technology and business leaders throughout the organization to strengthen governance, improve control effectiveness, and enhance the organization’s security and compliance posture through ongoing risk assessments, vendor management, security program recommendations, and executive-level reporting. The Lead supports control assurance activities by evaluating and documenting safeguards against well-known security frameworks, helping the organization prioritize improvements and communicate risk and control maturity in clear, decision-useful terms. The Lead also supports business continuity and incident response governance, ensuring plans remain current through coordinated updates and facilitating periodic tests and exercises to validate readiness and drive continuous improvement.

Position Responsibilities

• Assess risks associated with information technology including systems, applications, data and infrastructure.
• Conduct periodic information security control assurance assessments by evaluating the design and effectiveness of safeguards against internal requirements and well-known frameworks (e.g., NIST, CIS), documenting results, gaps, and prioritized recommendations.
• Lead the organization’s Vendor Management program for new and existing third-party relationships, including due diligence reviews of contract terms, penetration tests, and SOC or IT Audit reports.
• Regularly review and recommend adjustments to information security training programs to ensure training is addressing the highest risks to the credit union and meeting all compliance requirements and best practices.
• Develop and maintain a comprehensive IT risk register, documenting identified risks and their potential impacts.
• Collaborate with IT and physical security to design and implement risk mitigation strategies.
• Monitor and track the effectiveness of risk mitigation efforts, recommending adjustments as necessary.
• Recommend adjustments to policies, procedures, and controls to better manage IT compliance risks.
• Maintain awareness of relevant regulations and guidance (e.g., FFIEC, GLBA, PCI-DSS) and translate requirements into practical control expectations and assessment criteria.
• Track response to information security alerts to ensure timely resolution based on risk severity.
• Report on aging of vulnerabilities and penetration test findings and track remediation efforts.
• Compile and present security posture metrics appropriate for dissemination to senior leaders and the board.
• Perform and manage user access reviews for key systems, documenting exceptions and remediation efforts.
• Prepare executive-level IT risk reports for senior management and stakeholders.
• Maintain up-to-date knowledge of regulatory changes and industry best practices related to IT compliance.
• Support business continuity and incident response governance by coordinating updates with plan owners, ensuring roles, escalation paths, business impact analysis, playbooks, and other documentation remain current.
• Provide guidance and support to IT and business teams on compliance related issues.
• Plan, facilitate, and document periodic business continuity and incident response tests/exercises, capturing outcomes and improvement actions and tracking follow-through to completion.
• Prepare and assist with collecting evidence for regulatory exams and audits.
• Assist in the investigation of IT compliance incidents and breaches and prepare reports on findings.
• Coordinate with internal and external stakeholders during compliance investigations and audits.
• Administer the information security risk acceptance process.
• Promote a culture of compliance.
• Additional duties as assigned.
  
  

Qualifications

EDUCATION AND EXPERIENCE

• Bachelor’s degree or a combination of education and experience.
• 3 years of experience working at a financial institution.
• 3 years of experience in risk management, compliance, information security or a related field.
• 3 years of experience working in or closely with the Information Technology.
• Experience with regulatory compliance frameworks such as CIS, FFIEC, NIST, ACET, InTREx, GLBA, PCI-DSS, etc.
• Experience conducting risk assessments and implementing risk mitigation strategies.
• Familiarity with reviewing vendor due diligence including contract terms, penetration tests, and SOC reports.
• Certifications such as CRISC, CISSP, CISM, CySA , CASP , CRVPM, or CRBCMA preferred but not required.
  
  

KEY COMPETENCIES

• Strong understanding of information security.
• Proficiency in using risk assessment tools and methodologies.
• Ability to document and communicate risk and control maturity in clear terms for leadership reporting.
• Strong facilitation skills to plan and run exercises and drive follow-through on improvement actions.
• Strong written documentation discipline (standards, evidence organization, and repeatable processes).
• Familiarity with compliance management software or Governance, Risk, Compliance (GRC) tools.
• Excellent analytical and problem-solving skills.
• Strong communication and interpersonal skills.
• Ability to work independently and collaboratively in a team environment.
• Attention to detail and proactive approach to identifying and addressing risk.
• Possess a working knowledge of all relevant Banking Rules and Regulations.
  
  

PHYSICAL DEMANDS AND WORK ENVIRONMENT

• Work Environment: Business office, the noise level in the work environment is usually quiet to moderate.
• Physical Requirements: Ability to sit or stand at a desk the majority of the day; talk or hear; stand or walk occasionally. While performing the duties of this job, the team member is typically utilizing a computer, keyboard, and phone. May occasionally reach with hands and arms; stoop, kneel, and crouch.
  
  

WHAT DO WE OFFER?

Benefits

• Medical, dental and vision insurances
• Supplemental insurances
• Pre-tax and Roth 401(k) Safe Harbor options
• Flexible spending accounts
• Health Savings Account (HSA)
• Paid time off (PTO)
• Paid holidays, including birthday
• Bereavement and pet leave
• Basic Life/AD&D, short-term and long-term disability coverage at no cost
• Voluntary Life/AD&D
• Employee Assistance Program
  
  

The above information has been designed to indicate the general nature and level of work performed by persons within this job this job classification. It is not designed to contain or be interpreted as a comprehensive inventory of all the duties, responsibilities, and qualifications required of persons assigned to this job. Additional duties may be required to perform the job effectively.