Job Description
            
                CORPORATE IT SECURITY MANAGER 
  
     
  
     Our Company  
  
    At   FirstBank PR  , we strive to be trusted advisors to our clients, and our employees are the ones that ensure we deliver on our promise of excellence in personalized customer service.
Our more than 3,100 employees in Puerto Rico, the Virgin Islands and Florida share a passion for excellent customer service.
We are proud of our team because they are continuously surpassing our client’s expectations.
  
Do you have a passion for helping customers, building relationships, and delivering extraordinary, personalized customer service?
If your answer is yes, FirstBank is the number one place for you.
  
   
  
 A Brief Overview 
  
 The IT Security Manager is in charge of establishing the required activities and procedures to manage security risks to an acceptable level across the IS functions for the Corporation.
Assists in the creation and modification of IS standards, policies, and procedures, to comply with applicable laws/regulations and industry best practices.
Advises corporate management by providing functional expertise concerning all aspects of Information Security, integrity and privacy of corporate systems and data resources.
  
   
  
 The IT Security Manager will be part of the Corporate Security Office (CSO) which is responsible of managing the Bank’s Information Security strategy such as developing IT standards, policies, and procedures, to comply with applicable laws/regulations and industry best practices.
  
   
  
 What you’ll do 
  
Information Security Governance
  
+      Builds a strategic and comprehensive information security program that defines, develops, maintains and implements policies and processes that enable consistent, effective information security practices which minimize risk and ensure the integrity, confidentiality and availability of information that is owned, controlled and processed within the organization.
Ensures information security policies, standards, and procedures are up to date.
  
+      Assists the Corporate Security Director and Corporate Security Division Director with the Information Security (IS) Management functions.
Provides reporting to Corporate Security Officer related to IS matters for Management, IT Committees, Audit Committee, and Board of Directors to ensure security topics and risks are known and managed effectively.
  
+         Serves in a leadership role for security compliance.
  
+        Oversees the development/update of IT policies, procedures, standards, and guidelines related to information security and other related IT areas based on applicable laws/regulations, industry best practices.
  
+         Evaluates the overall integrity and effectiveness of the IS management systems and controls.
  
+         Oversee the development/update of IS Monitoring Reports (KRIs/ Scorecards/Dashboards)
  
+       Assesses the risks associated with Managed Security Service (MSS) providers.
Manage the relationship to ensure the service being provided operates as intended.
  
+       Responsible for initial and periodic information security risk mitigation and remediation.
Responsible for development and implementation of security risk management plan.
  
+         Establishes and maintains processes for coordinating the correction of deficiencies which may arise from self-assessment, reviews by the Internal Audit or Corporate Compliance departments, or external regulatory bodies.
  
+       Participate actively in the Corporation systems conversion processes.
Provides support in the evaluation of IT controls over new systems/applications for compliance with IS Policies and regulatory requirements.
  
+         Oversees and evaluates identified IS risks, exceptions, incidents, etc.
  
+         Ascertain the Corporation is complying with Industry best practices and Standards: PCI, ISO 27k series, NIST, etc.
  
+        Oversees, develops and/or delivers initial and ongoing security training to the workforce.
Initiates, facilitates, and promotes activities to foster information security awareness within the organization and related entities.
  
+         Serve as information security consultant to all departments for all data security related issues.
  
+         Responsible for the IT Software Unauthorized revision and remediation process.
  
+         Responsible for the Monitoring and approval of the IT Security Budget.
  
+         Reviews Business Cases to ensure Security practices are contemplated.
  
+         Participates in Senior / Executive Management Committees
  
Cyber Security Operations
  
+ Assist the Corporate Security Director as necessary to respond and mitigate cybersecurity risks for internal control improvement.
  
+ Provide feedback regarding cyber security in the development/update of Information Security (IS) policies, procedures, standards, and guidelines.
  
+ Develop security related dashboards and reports for Cyber Security Management.
  
+ Oversee and monitor critical Information Technology / Information Security third party service providers and monitoring compliance of agreed-upon contracts/terms.
  
+ Oversee the Penetration Tests and Vulnerability Scans and evaluate results to proactively identify and fix security flaws and vulnerabilities.
  
+ Chair the Patch Management Board (PMB) / Vulnerability Management Committee (VMC) for the oversight of the Patch Management efforts to provide feedback and best practices to remediate any outstanding risks/flaws.
Ascertain vulnerabilities are remediate within Policy.
  
+ Oversight of Network Security: Firewall Management, IDS / IPS, Web-Content Filtering, Data Loss Prevention (DLP), Endpoint Protection, etc.
  
+ Oversight and evaluation of MSSP Security Operations Center (SOC).
Reviews alerts generated from the SOC on a timely basis.
  
+ Management of Email Gateway Solution
  
+ Management of Sandbox Environment Solution
  
+ Management Office 365 Security and Compliance, Intune, Conditional Access, etc.
  
+ Management of Vulnerability Scanning solution.
  
+ Management of suspicious email solutions and SOP regarding suspicious email activity and response.
  
+ Responsible for Configuration Management for all IT Assets.
Compliance scans should be performed to ensure Assets are in accordance with Standards and Regulations.
Report to Senior Management on Compliance.
  
+ Periodical report on the Cyber Security Posture of the Corporation to Senior and Executive Management.
  
Incident Management
  
+ Responsible for the Information Security Incident Response Plan.
  
+ Serve as a subject Matter expert for Incident handling and response.
  
+ Establishes and administers a process for investigating and acting on security incidents which may result in an information breach.
  
+ Conduct Incident Management preparedness.
  
+ Assist in forensic investigations regarding Information Security incident or events.
  
Security Architecture
  
+ Responsible for the Overall strategy and design regarding Information / Cyber Security.
Holistic approach evaluating vendors, applications, and processes.
  
+ Reviews encryption technology to ensure they are aligned with Industry Standards and Best Practices.
Maintain the Encryption Policy.
  
+ Reviewing Network environment to ensure they are aligned with Industry Standards and Best Practices, recommend strengthening actions, such as Network Segmentation, Defense in Depth, Remote Access, etc.
  
+ Review Cloud Environment to ensure they comply with Corporate Standards.
Provide recommendations when necessary.
  
+ Validate new technology and services and ascertain they meet Corporate Policy ana Standards.
Provide Recommendations when necessary.
  
+ Assist other IT Department to ensure IT solutions comply with minimum Security standards.
  
+ Analyze new trends to ensure up to date technology and services are maintained.
  
Information Security Project Management
  
+ Assist the Project Management Office with the Project Delivery Lifecycle to ensure Information Security practices are maintained in each step: Requirement, Design, Testing, Implementation, etc.
  
+ Ensure key security milestones are completed for each project (where applicable): Vulnerability scans, Code Review, Penetration Tests, Logging capabilities, Role-based Access, etc.
  
+ Server as a Subject Matter Expert and provide recommendations for remediating vulnerabilities identified through Penetration tests and Vulnerability Scans.
  
+ Ascertain hardening standards are contemplated as part of each project implementation.
Management of Compliance scan to ensure new applications comply with Corporate Standards.
  
+ Active participant of the Infrastructure Steering Committee.
  
Threat Intelligence
  
+ Ensure the Corporation receives adequate Threat Intel through different forums, such as working knowledge of FS-ISAC and similar open/commercial threat intelligence feeds.
  
+ Process both internal and external Cyber Threat Intel for determination of potential threat and impact, and implementation of mitigating actions.
  
+ Escalate with vendors any outstanding event that may hamper or negatively affect the Corporations IT Assets.
  
+ Follow up with IT / Information Security Vendors to ensure updates and upgrades have been implemented.
  
Emerging Responsibilities
  
+      Leads the implementation and continuous improvement of Zero Trust Architecture across the organization, ensuring strict identity verification and least-privilege access principles.
  
+        Integrates AI-driven threat detection and response systems to proactively identify and mitigate advanced persistent threats and anomalous behaviors.
  
+       Oversees Cloud Security Posture Management (CSPM) initiatives to ensure secure configuration and compliance of cloud environments with industry standards.
  
+        Ensures compliance with evolving regulatory frameworks such as the SEC cybersecurity disclosure rules.
  
+       Collaborates with legal and compliance teams to interpret and implement new cybersecurity regulations and ensure timely reporting of incidents as required by law.
  
+        Evaluates and integrates emerging technologies such as Secure Access Service Edge (SASE), Extended Detection and Response (XDR), and Security Orchestration, Automation and Response (SOAR) platforms.
  
+         Develops and maintains a threat modeling program to assess risks associated with new technologies and digital transformation initiatives.
  
+       Implements continuous security validation practices such as breach and attack simulation (BAS) to test the effectiveness of security controls.
 
  
 Other Responsibilities 
  
+         Performs other tasks as requested by the Corporate Security Director
  
+         Performs/Supports highly technical tasks such as:
  
+       Systems and procedures review and implementation
  
+       Policies Awareness training
  
+       Special Investigations (Forensic)
  
+       Root Cause Analysis Process
  
+        Performs special tasks in order to assist internal, external auditors and regulators in their procedures.
  
+        Monitors compliance with his/her continued education requirements.
  
+        Safeguards information related to his/her duties.
  
   
  
 What You’ll Need to Succeed 
  
+         A Bachelor’s Degree in Information Technology, Computer Science, engineering, or business is required for this position.
  
+       The incumbent must have over 7 years of Information Security experience or experience on a similar position within the Banking Industry.
  
  
+         CISSP, CISM or any other similar certification is highly desired but not required.
  
+         A master's degree in computer science, information systems, engineering, or MBA is preferred.
  
+         Strong understanding of Information Security Frameworks such as COBIT 5, ISO 27000, NIST, and others is required.
  
+        7 or more years of related work experience in IT, Information Security topics, or developing, implementing or architecting information security systems, in the banking industry highly preferred.
  
+        Minimum of 5 years of relevant experience at a financial services company or comparable experience working as an advisor to a financial services company.
  
 Competencies 
  
+         Supervisory, interpersonal communication, leadership and team skills
  
+         Able to work in a team oriented, highly demanding and fast paced environment.
  
+         Exercise excellent written communication skills with direct experience drafting guidance documentations
  
+         Understand complex business and Information Technology / Information Security processes
  
+         Familiarity with vulnerability assessment and penetration testing best practices
  
+         Organization and prioritization skills
  
+         Strong analytical skills and problem-solving skills
  
+         Strong analytical skills (analytical thinker) and self-starter
  
+         Wide information technology knowledge within the Banking Industry.
  
+       Understand and be proficient in common cyber threat terminology, methodologies, possess basic understanding of cyber incident and response, and related current events
  
+         Strong working knowledge of Information and System Security, internal control frameworks such as: COBIT, ISO 27000, NIST, etc.
  
+       A strong understanding of Information Security regulatory requirements and compliance issues, previous experience with applicable regulations from the FDIC, FFIEC, SOX, etc.
  
+        Knowledge in databases, Web Applications, Network and communication Infrastructure, operating systems (ex.
IBM, Unix, Linux and Windows), security technologies (firewalls, IDS/IPS, etc.)
  
+        Proven experience utilizing PC, Windows Operating Systems (2000, XP, 200X Server and Windows 7), and other operating systems (Linux, SUSE, Mandrake, Red Hat, etc) with familiarity with the pertaining application preferred.
  
+         Hands-on skills in audit planning, development of audit programs, fieldwork and wrap-up
  
+         Experience in project management of information security projects including development of project charters and plans; management of project execution and successful implementation of the planned solution
  
+        Knowledge of general security concepts and methods such as vulnerability assessments, privacy assessments, intrusion detection, incident response, security policy creation, enterprise security strategies, architectures and governance
  
+        Proficient in EXCEL, WORD, OUTLOOK, ACCESS, POWER POINT
  
+         Experience in process definition, workflow design and process mapping
  
+         Committed to accuracy.
Must be able to provide out of the box thinking solutions to highly complex issues.
  
 EQUAL EMPLOYMENT OPPORTUNITY EMPLOYER