Information Security Officer
Actively Reviewing the ApplicationsHeritage Bank - Greater Cincinnati
On-site
Posted 16 hours ago
•
Apply by June 5, 2026
Job Description
Information Security Officer (ISO)
Position Summary
The Information Security Officer (ISO) supports Heritage Bank’s Security Program by providing second-line oversight, governance, risk management, and control assurance. This role partners closely with IT, Security Operations, Risk Management, Compliance, and Audit to ensure security controls are designed appropriately, operating effectively, and aligned to regulatory expectations and industry standards.
The ISO assists in maintaining a mature information security program consistent with applicable laws and regulations (including GLBA and FFIEC guidance) and frameworks such as NIST and ISO.
Key Responsibilities
Governance, Risk, and Compliance Oversight
Support the development, maintenance, and ongoing improvement of the Information Security Program, including policies, and procedures.
Provide second-line oversight of information security controls and ensure alignment to regulatory requirements (e.g., GLBA Safeguards Rule) and industry frameworks (e.g., NIST CSF, NIST 800-53).
Maintain and update the information security risk assessment program, including risk identification, analysis, and tracking.
Support board and senior management reporting on security posture, risk trends, and program maturity.
Control Assurance and Monitoring
Conduct periodic security control reviews to validate design and operational effectiveness (e.g., access controls, logging, vulnerability management, change management, secure configuration).
Support and coordinate internal control testing, information security risk assessments, and risk/control attestations.
Track security issues through remediation, validate closure evidence, and maintain issue documentation suitable for audit and examination review.
Assist with metrics development and reporting (KRIs/KPIs) for security and technology risk.
Present periodic reports to the IT Steering Committee.
Third-Party / Vendor Security Risk
Support third-party information security due diligence and ongoing monitoring, including review of SOC reports, security questionnaires, and contract security provisions.
Partner with senior management to verify contracts include appropriate security requirements (e.g., incident notification, encryption, access control, audit rights, subcontractor controls).
Incident Response & Cyber Resilience (Oversight Role)
Coordinate and participate in incident response governance activities, including tabletop exercises, lessons learned, and post-incident reporting.
Ensure incident response plans, escalation procedures, and communications workflows are documented and tested.
Support oversight of business continuity and disaster recovery security requirements (especially for cyber events).
Regulatory, Audit, and Examination Support
Serve as a key contributor during regulatory examinations and independent audits for information security-related requests.
Obtain and maintain documentation and evidence required related to IT-IS exam readiness (policies, risk assessments, test results, vendor reviews, incident records, etc.).
Track and coordinate responses to IT-IS audit findings, regulatory matters requiring attention (MRAs), and other action plans.
Security Awareness and Training (Program Oversight)
Support the development and maintenance of the security awareness program, including role-based training and phishing simulations.
Monitor training completion and help drive improvements based on observed risk trends.
Program Management and Cross-Functional Collaboration
Partner with IT to provide governance support and ensure security requirements are integrated into projects and operational processes.
Participate in change advisory boards (CAB) or risk review forums as needed.
Support secure adoption of new technologies (e.g., cloud services, SaaS, AI tools) through structured risk review.
Reporting Relationships
Reports to: Chief Operations Officer (COO)
Works closely with: IT Operations, Enterprise Risk Management, Internal Audit, Vendor Management, Business Unit Leaders, and Compliance.
Note: This is a second-line oversight role and does not own day-to-day operational security execution (e.g., SOC monitoring, firewall administration), but ensures governance, risk management, and control assurance are effective.
Required Qualifications
Bachelor’s degree in Information Security, Information Systems, Risk Management, or a related field (or equivalent experience).
5+ years of experience in information security, IT risk, compliance, audit, or security governance.
Working knowledge of banking/credit union regulatory expectations, including:
GLBA Safeguards Rule
FFIEC IT Examination Handbook / CAT concepts
Strong understanding of security risk management and control frameworks (e.g., NIST CSF, NIST 800-53, ISO 27001).
Experience supporting audits, regulatory exams, and evidence collection.
Strong written and verbal communication skills, including the ability to produce clear risk narratives and executive-level reporting.
Preferred Qualifications
Experience in a regulated financial institution of environment (bank, credit union, fintech with banking oversight, or comparable experience).
Certifications such as:
CISM, CISSP, CRISC, CISA
Familiarity with:
SOC 1 / SOC 2 report review
ISO 27001
Vendor risk programs
Business continuity and disaster recovery testing
Security metrics and maturity modeling
Experience working with platforms (e.g., ).
Core Competencies
Risk-based decision making
Strong documentation and evidence discipline
Ability to challenge effectively (second-line posture) while maintaining strong partnerships
Regulatory readiness mindset
Program management and follow-through
High integrity and discretion
Performance Metrics (Examples)
Timeliness and quality of security risk assessments and control reviews
Audit and exam readiness (evidence quality, response time, reduction in repeat findings)
Issue remediation tracking effectiveness (aging, closure validation)
Vendor security review completion and quality
Improvements in security KRIs/KPIs and program maturity over time
Position Summary
The Information Security Officer (ISO) supports Heritage Bank’s Security Program by providing second-line oversight, governance, risk management, and control assurance. This role partners closely with IT, Security Operations, Risk Management, Compliance, and Audit to ensure security controls are designed appropriately, operating effectively, and aligned to regulatory expectations and industry standards.
The ISO assists in maintaining a mature information security program consistent with applicable laws and regulations (including GLBA and FFIEC guidance) and frameworks such as NIST and ISO.
Key Responsibilities
Governance, Risk, and Compliance Oversight
Support the development, maintenance, and ongoing improvement of the Information Security Program, including policies, and procedures.
Provide second-line oversight of information security controls and ensure alignment to regulatory requirements (e.g., GLBA Safeguards Rule) and industry frameworks (e.g., NIST CSF, NIST 800-53).
Maintain and update the information security risk assessment program, including risk identification, analysis, and tracking.
Support board and senior management reporting on security posture, risk trends, and program maturity.
Control Assurance and Monitoring
Conduct periodic security control reviews to validate design and operational effectiveness (e.g., access controls, logging, vulnerability management, change management, secure configuration).
Support and coordinate internal control testing, information security risk assessments, and risk/control attestations.
Track security issues through remediation, validate closure evidence, and maintain issue documentation suitable for audit and examination review.
Assist with metrics development and reporting (KRIs/KPIs) for security and technology risk.
Present periodic reports to the IT Steering Committee.
Third-Party / Vendor Security Risk
Support third-party information security due diligence and ongoing monitoring, including review of SOC reports, security questionnaires, and contract security provisions.
Partner with senior management to verify contracts include appropriate security requirements (e.g., incident notification, encryption, access control, audit rights, subcontractor controls).
Incident Response & Cyber Resilience (Oversight Role)
Coordinate and participate in incident response governance activities, including tabletop exercises, lessons learned, and post-incident reporting.
Ensure incident response plans, escalation procedures, and communications workflows are documented and tested.
Support oversight of business continuity and disaster recovery security requirements (especially for cyber events).
Regulatory, Audit, and Examination Support
Serve as a key contributor during regulatory examinations and independent audits for information security-related requests.
Obtain and maintain documentation and evidence required related to IT-IS exam readiness (policies, risk assessments, test results, vendor reviews, incident records, etc.).
Track and coordinate responses to IT-IS audit findings, regulatory matters requiring attention (MRAs), and other action plans.
Security Awareness and Training (Program Oversight)
Support the development and maintenance of the security awareness program, including role-based training and phishing simulations.
Monitor training completion and help drive improvements based on observed risk trends.
Program Management and Cross-Functional Collaboration
Partner with IT to provide governance support and ensure security requirements are integrated into projects and operational processes.
Participate in change advisory boards (CAB) or risk review forums as needed.
Support secure adoption of new technologies (e.g., cloud services, SaaS, AI tools) through structured risk review.
Reporting Relationships
Reports to: Chief Operations Officer (COO)
Works closely with: IT Operations, Enterprise Risk Management, Internal Audit, Vendor Management, Business Unit Leaders, and Compliance.
Note: This is a second-line oversight role and does not own day-to-day operational security execution (e.g., SOC monitoring, firewall administration), but ensures governance, risk management, and control assurance are effective.
Required Qualifications
Bachelor’s degree in Information Security, Information Systems, Risk Management, or a related field (or equivalent experience).
5+ years of experience in information security, IT risk, compliance, audit, or security governance.
Working knowledge of banking/credit union regulatory expectations, including:
GLBA Safeguards Rule
FFIEC IT Examination Handbook / CAT concepts
Strong understanding of security risk management and control frameworks (e.g., NIST CSF, NIST 800-53, ISO 27001).
Experience supporting audits, regulatory exams, and evidence collection.
Strong written and verbal communication skills, including the ability to produce clear risk narratives and executive-level reporting.
Preferred Qualifications
Experience in a regulated financial institution of environment (bank, credit union, fintech with banking oversight, or comparable experience).
Certifications such as:
CISM, CISSP, CRISC, CISA
Familiarity with:
SOC 1 / SOC 2 report review
ISO 27001
Vendor risk programs
Business continuity and disaster recovery testing
Security metrics and maturity modeling
Experience working with platforms (e.g., ).
Core Competencies
Risk-based decision making
Strong documentation and evidence discipline
Ability to challenge effectively (second-line posture) while maintaining strong partnerships
Regulatory readiness mindset
Program management and follow-through
High integrity and discretion
Performance Metrics (Examples)
Timeliness and quality of security risk assessments and control reviews
Audit and exam readiness (evidence quality, response time, reduction in repeat findings)
Issue remediation tracking effectiveness (aging, closure validation)
Vendor security review completion and quality
Improvements in security KRIs/KPIs and program maturity over time
Required Skills
Quick Tip
Customize your resume and cover letter to highlight relevant skills for this position to increase your chances of getting hired.
Related Similar Jobs
View All
Windows Systems Engineer
TransUnion
India
Full-Time
Engineering
Networking
Troubleshooting
+55
CEO Office -OEPX
4C Consulting Pvt. Ltd. - ISO Consulting Services in Ahmedabad, Gujarat, India
India
Full-Time
₹4–4 LPA
Communication
Sales
Engineering
+44
Manager, Systems Engineering- Apple Services Engineering
Apple
India
Full-Time
Communication
Engineering
Control Systems
+37
Data Center Technician - India - Patna. - On-site
Reboot Monkey
India
Other
Engineering
Senior Business Systems Analyst
UPS
India
Full-Time
₹4–6 LPA
.NET
Azure
DevOps
+4
Quick Apply
Upload your resume to apply for this position