Home About Services Blog Client Portal Contact

Applied Compliance Services

Applied Compliance Blog

March 15th, 2019

Expected Separation of Duties Key IT, Security, and Audit Roles - Part 2

Part two of addressing the expected separation of duties amongst key IT information security and audit roles within a financial institution will focus on the role of the IT Management. Separation of duties is a key component in the FFIEC information security booklet updated September 2016. The ISO should be independent of IT operations staff and should not report to IT operations management. So, what are the responsibilities of IT management within the institution and specifically, within the information security program?

IT Management

IT management is responsible for IT performance and administering the day-to-day operation of an institution's IT environment.

IT management will typically perform the following:

This list provides a structure for the role of IT leadership expected by examiners under the information security umbrella. Our final part in this series will review the audit department's role in the information security program and their need to be separate as well.