Information Security Officer

WHO WE ARE

City First Bank N.A. is a mission-driven Community Development Financial Institution (CDFI) principally focused on a transformative impact in underserved urban markets with the highest needs to drive equitable economic development. Our credit activities are purely commercial and focused on the following segments: Multifamily Affordable Housing Not-for-Profit Finance and Small Business Finance. As a depository and commercial lending provider with over $1.3 billion in bank assets as of December 31 2024 our unified organization has over 100 employees in Washington DC and Los Angeles/Inglewood CA.

ROLE SUMMARY

The Information Security Officer is responsible for monitoring analyzing and maintaining the banks technical security controls in support of City First Banks Information Security Program. This role will be focused on maintaining the security of the banks applications and network which includes creation and timely execution of security projects tool installations and integrating risk-based threat intelligence into the operational environment. The role also supports the ability to maintain assurance in our technical security controls especially on the Cloud so that risks to the confidentiality integrity and availability of the banks information systems and infrastructure are sufficiently mitigated which in turn supports the banks operational and compliance goals. The role will also perform triage and analysis of security events escalated from the Tier1 and Tier-2 support teams.

ESSENTIAL FUNCTIONS AND RESPONSIBILITIES

• Advanced monitoring of the day-to-day operation of Security Information and Event Management (SIEM) and Network Anomaly Detection and other security control tools.
• Act as the first point of response for security event alerts and notifications. Maintain an efficient and secure IT computing infrastructure on the banks environment cloud and SaaS products.
• Provide regular security reporting and risk metrics to IT Leadership Senior Leadership and committees as appropriate.
• Monitor knowledge sharing services and advise leadership on cybersecurity trends emerging threats and regulatory guidance.
• Leads Information Security compliance tasks and coordinate and gather artifacts for internal and external audits.
• Serve as the banks designee for regulatory and audit purposes. Align controls with guidance and recommendations.
• Work with Compliance to identify assess and track remediation of security risk and findings.
• Ensure compliance with GLBA FFIEC and other regulatory industry and cybersecurity standards for access control and system permissions.
• Manage identity and access roles and permissions assignments and changes and all other activities to ensure adherence to policies and procedures.
• Oversee periodic User Access Reviews for key bank systems.
• Enable and oversee the process of employee user account provisioning and de-provisioning including Active Directory and SaaS applications.
• Lead the creation implementation and integration of identity tools and practices that enhance the organizations security and regulatory compliance.
• Conduct and maintain IT risk assessments including Information Security GLBA and Vendor / Third Party reviews.
• Manage vendor due diligence reviews from an information security and technology perspective.
• Develop and evaluate security procedures for IT Department.
• Develop and administer the banks security awareness program including annual training and phishing simulations.
• Partner with IT infrastructure application and operations teams to ensure secure system design and configuration.
• Generate and analyze reports monitor alerts and review reports to monitor security activities and document findings and recommend corrective actions.
• Work with managed service providers network administrators and security operations to resolve problems evaluate new solutions recommend changes and investigate incidents.
• Collaborate with lines of business system and network administrators to develop and manage role-based access control groups for ensuring appropriate access to information systems applications and data.
• Responsible for analyzing user access roles permissions and profiles to establish user provisioning within all bank applications.
• Implement and upgrade network security tools running in the physical and virtual environments.
• Ensure confidential data is secure and implement controls to ensure visibility and auditability across organization for changes in roles functions access-levels and data footprint.
• Other duties as assigned.

EDUCATION & EXPERIENCE

Required Education/Experience:

• Bachelors degree in Computer Science or Information Systems Information Technology or related focused technical training (CISSP CISM CRISC or CISA) or in lieu 4 additional years of engineering and information security experience.
• 7 years experience in a combination of information security or IT operations/engineering or IT risk management
• 4 years experience with designing and implementing information security technologies.
• Extensive experience in banking regulations and compliance requirements specifically related to regulatory examinations and security requirements.
• Experience in supporting and managing audit examination and regulatory interactions.

Preferred Education/Experience:

• 8 years of Engineering or Security Administration in banking preferred.
• 2 years security engineering/administration in the banking/financial sector

KNOWLEDGE SKILLS AND ABILITIES

Required Knowledge & Skills:

• Knowledge of Microsoft Azure and Microsoft O365 virtualized environment and tools is a must. Ability to configure and work on Azure Security Center and O365 Security Center.
• Knowledge of Active Directory Azure AD identity management DLP policies Azure Sentinel and other security tools essential.
• Familiarity with at least one security best practice standards such as the Center for Internet Security (CIS) Security Controls or NIST Cybersecurity Framework or equivalent.
• Excellent knowledge of Azure Security Center and Azure portal. Knowledge of SEIM and AD tools.
• Excellent knowledge of Microsoft Operating system and Azure tools. Strong Active Directory and Windows Group Policy knowledge.
• Networking technology and protocols including routers switches VPNs Citrix email gateways etc.
• Requires skill in providing expert input into technology projects.
• Assist the Tier-1 and Tier-2 escalations with troubleshooting and analysis of security events.