×
Home About Services Blog Client Portal Contact

Applied Compliance Services

Applied Compliance Blog

February 14th, 2019

Expected Separation of Duties Key IT, Security, and Audit Roles - Part 1

This is a first in a three-part series addressing the expected separation of duties amongst key IT information security and audit roles within a financial institution. Separation of duties is an essential element in the FFIEC information security booklet updated September 2016. The booklet states that management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program. Information security management responsibilities may be distributed across various lines of business depending on where the risk decisions are made and the institution size, complexity, culture, nature of operations, and other factors. The ISO should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, experience, training, and independence to perform their tasks. To ensure appropriate segregation of duties, the ISO should be independent of IT operations staff and should not report to IT operations management. Let's start with common responsibilities of the Chief Information Security Officer.

Separation of IT Operations Management and Information Security Officer roles

Information security officers should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management. Information security officers should be responsible for responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services.

Chief Information Security Officer

The chief information security officer (CISO) is responsible for overseeing and reporting on the management and mitigation of information security risks across the institution and should be held accountable for the results of this oversight and reporting. Often, the CISO is responsible for implementing an information security program satisfying the Interagency Guidelines Establishing Information Security Standards, which were issued pursuant to the Gramm-Leach-Bliley Act (GLBA). While in the past the office of the CISO was considered a technology function, the role has become a strategic and integral part of the business management team. The CISO should be an enterprise-wide risk manager rather than a production resource devoted to IT operations. To ensure independence, the CISO should report directly to the board, a board committee, or senior management and not IT operations management. While cost and benefit decisions will always need to be made, IT security decisions and funding should not be unduly influenced by operational ease or budgetary constraints. The reporting structure should demonstrate that the CISO has the appropriate authority to carry out the responsibilities of that position and should avoid conflicts of interest that could interfere with the ability of the CISO to make decisions in line with the board's risk appetite. The institution's size and complexity plays a role in the reporting structure. A smaller or less complex institution may have an information security officer perform the responsibilities of the CISO and report to senior management. A larger or more complex institution may have additional reporting lines for the CISO into other independent functions, such as risk management.

The CISO is typically responsible for the following:

While CISO responsibilities can vary between institutions, the above list is good baseline to begin with. Look for the examiners to start looking for this type of structure during their next visit. In our next blog, we'll look at the role of IT management in financial institutions.