Information Security Analyst II

We recognize that in order to meet the needs of our communities, we must represent our communities. Our success relies on creating a culture where we have diverse perspectives and a true sense of belonging. This is a journey, and we pledge to do more than simply check the box.

When you join the Meritrust team, your benefits will include:

• Comprehensive medical insurance plan
• Dental and vision insurance
• Generous paid-time-off
• 12 paid holidays
• Annual bonus (based off of annual results/scorecard each year)
• 401(k) plan
• Wellness program
• Tuition assistance
• Employee loan discount
• Employee Assistance Program (EAP)
• Life and disability coverage

What sets working for Meritrust apart?

• Career development and pathing opportunities to move into leadership roles or other lines of business within MCU such as Commercial Lending, Finance, Marketing, Underwriting, Member Solutions, Training, Human Resources, and more.
• Supportive and engaging work environment.
• A wellness and sustainable work culture that puts family, Mother Nature, our community, and your health first.
• A work environment that encourages personal as much as professional growth, teamwork to make the dream work, and treating everyone equally.
• Studies have shown that individuals from marginalized and or historically underrepresented groups may be less likely to apply for jobs unless they meet every one of the qualifications listed. We are most interested in finding the best candidate for the job. We would encourage you to apply for a job at Meritrust Credit Union, even if you don't meet every one of our qualifications listed.

This is a full-time position working 40 hours a week, Monday-Friday 8:00am - 5:00pm.
Position Summary
Responsible for executing the Governance, Risk, and Compliance (GRC) program within Information Security team for Meritrust Credit Union (MCU). This position reports to the AVP, Security Analysis.

Will work closely with the Risk and Compliance department in ensuring MCU is meeting regulatory requirements and organizational risk tolerance. This position is responsible for maintaining all operational tasks within the information security portfolio including security training, building and reviewing security policies and controls, conducting risk reviews of systems and compliance with information security best practices.

ESSENTIAL FUNCTIONS Governance

• Stay current with Financial Regulations such as FFIEC guidelines, NCUA requirements, and other compliance regulations.
• Familiar with Information Security Frameworks such as PCI DSS, NIST 800-53, FedRAMP, ISO 27001, CIS, MITRE ATT&CK, OWASP Top 10, etc.,
• Build and integrate the security frameworks into the MCU Information Security Program, ensuring organizational compliance.
• Develop, implement, and maintain policies, standards, and procedures to ensure alignment with MCU security objectives and industry best practices.
• Design and conduct employee training on compliance, information security, and risk management topics with a focus on safeguarding MCU assets, including member data.

Risk Management

• Perform risk assessments to identify and mitigate risks related to member data, application security, and security tool health checks.
• Analyze and document identified risks, providing actionable mitigation recommendations.
• Support the Information Security Incident Response Plan (ISIRP), Business Continuity and Disaster Recovery (BC/DR) plans and assist tabletop exercises to ensure operational resilience.

Compliance

• Monitor and support compliance efforts related to regulations and frameworks such as NCUA, NIST, ISO, PCI DSS, CIS, MITRE ATT&CK, OWASP Top 10, and other relevant frameworks.
• Assist with internal and external audits and regulatory examinations, providing required evidence and ensuring timely remediation of findings.
• Conduct regular testing of controls in security policies to ensure effectiveness and alignment with regulatory requirements.
• Manage findings from audits, risk assessments, security policies control testing, documenting resolutions and tracking remediation progresses.
• Participate in the exceptions management process, conducting documentation, risk acceptance, and periodic reviews of exceptions.
• Monitor phishing reports and InfoSec tickets submitted by employees, ensuring proper investigation, resolution, and follow-up.

Collaboration & Reporting

• Collaborate with IT, compliance/risk management, and operational teams to align cybersecurity objectives with MCU security goals.
• Provide regular reporting to leadership on the cybersecurity program status, compliance gaps, and risk trends specific to the credit union sector.
• Design, implement, and update InfoSec performance metrics and key risk indicators (KRIs) to measure the maturity and effectiveness of the security program.
• Act as a resource for employees on GRC-related inquiries to promote a culture of compliance and security awareness.