Image

The Importance of Separating IT Operations Management and Information Security Officer Roles

Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program. Information security management responsibilities may be distributed across various lines of business depending on where the risk decisions are made and the institution’s size, complexity, culture, nature of operations, or other factors.

Information security officers should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management. Information security officers should be responsible for responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services.


IT Management

IT management is responsible for IT performance and administering the day-to-day operation of an institution’s IT environment.

IT management will typically perform the following:

  • Implement IT governance.
  • Implement effective processes for ITRM (IT Risk Management), including those that relate to cybersecurity.
  • Review and annually approve processes for ITRM.
  • Assess the institution’s inherent IT risks across the institution.
  • Provide regular reports to the board on IT risks, IT strategies, and IT changes.
  • Establish and coordinate priorities between the IT department and lines of business.
  • Establish a formal process to obtain, analyze, and respond to information on threats and vulnerabilities by developing a repeatable threat intelligence and collaboration program.
  • Ensure that hiring and training practices are governed by appropriate policies to maintain competent and trained staff.
  • Develop and implement the IT strategy to support the institution’s business strategy in line with its risk appetite.
  • Oversee the IT budget and maintain responsibility for performance management, IT acquisition oversight, professional development, and training.
  • Implement the IT architecture and participate in planning activities.
  • Oversee administration of IT access, maintenance, and operations on a day to day basis.
  • Ensure accountability for security, business resilience, risk reporting, and alignment of IT with business needs.
  • Play a key role in the strategic planning as well as supporting activities of peers in various lines of business
  • Provide a leadership role on the steering committee.
  • Ensure review of daily activity reports from SIEM and various systems (firewalls, IDS/IPS, patching, anti-malware, AD, servers, DBs, etc.) to help ensure timely mitigation of identified information security issues.
  • Ensure review of daily access and user reports from various systems (firewalls, IDS/IPS, AD, servers, DBs, Imaging, etc.) to help ensure least privilege access, separation of duties, and change management practices are followed.

Chief Information Security Officer

The chief information security officer (CISO) is responsible for overseeing and reporting on the management and mitigation of information security risks across the institution and should be held accountable for the results of this oversight and reporting. Often, the CISO is responsible for implementing an information security program satisfying the Interagency Guidelines Establishing Information Security Standards, which were issued pursuant to the Gramm–Leach–Bliley Act (GLBA). While in the past, the office of the CISO was considered a technology function, the role has become a strategic and integral part of the business management team. The CISO should be an enterprise-wide risk manager rather than a production resource devoted to IT operations.

To ensure independence, the CISO should report directly to the board, a board committee, or senior management and not IT operations management. While cost and benefit decisions will always need to be made, IT security decisions and funding should not be unduly influenced by operational ease or budgetary constraints. The reporting structure should demonstrate that the CISO has the appropriate authority to carry out the responsibilities of that position and should avoid conflicts of interest that could interfere with the ability of the CISO to make decisions in line with the board’s risk appetite. The institution’s size and complexity play a role in the reporting structure. A smaller or less complex institution may have an information security officer perform the responsibilities of the CISO and report to senior management. A larger or more complex institution may have additional reporting lines for the CISO into other independent functions, such as risk management.

The CISO is typically responsible for the following:

  • Implementing the information security strategy and objectives, as the board of directors approved, including strategies to monitor and address current and emerging risks.
  • Engaging with management in the lines of business to understand new initiatives, providing information on the inherent information security risk of these activities, and outlining ways to mitigate the risks.
  • Working with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information.
  • Monitoring emerging risks and implementing mitigations.
  • Informing the board, management, and staff of information security and cybersecurity risks and the role of staff in protecting information.
  • Championing and documenting security awareness and training programs.
  • Participating in industry collaborative efforts to monitor, share, and discuss emerging security threats.
  • Reporting significant security events to the board, steering committee, government agencies, and law enforcement, as appropriate.
  • Creating an annual Information Security Report and the delivery of this report to the Board of Directors. This report should include elements outlined in Appendix B of Part 364 Interagency Guidelines Establishing Information Security Standards.
  • Assisting with the design, implementation, maintenance and training of disaster recovery and business continuity plans, procedures, audits, and enhancements.
  • Assisting with evaluating new technology before purchase or implementation by helping perform a risk assessment on the technology.
  • Participating in compliance committee meetings, Audit Committee meetings and IT Steering Committee meetings when possible and appropriate. This participation ensures that Information Security is considered in all aspects of the business, and an Information Security dialog can be maintained on an ongoing basis.
  • Assisting with evaluating, performing, and monitoring Information Security Risk Analysis for key technology vendors.
  • Overseeing the performance of risk assessments and the integration of the risk assessments into a cohesive whole.
  • Assisting with preparing and presenting Risk Analysis to the Board of Directors for approval/disapproval on any risk considered to be too costly or disruptive to be remediated.
  • Reviewing summary activity reports, on at least a monthly basis, from SIEM and various systems (firewalls, IDS/IPS, patching, anti-malware, AD, servers, DBs, Imaging, Core, etc.) to help ensure timely mitigation of identified information security issues.
  • Reviewing summary access and user reports, on at least a monthly basis, from various systems (firewalls, IDS/IPS, AD, servers, DBs, Core, Teller, Electronic Banking, ACH/Wires, Imaging, etc.) to help ensure least privilege access, separation of duties, and change management practices are followed.

Patching Software and Systems is like Payroll

We’ve probably all seen an organization with everything locked down from a security perspective. Their router configs are solid, firewall reviews are done regularly, and yet, the organization is somehow compromised.

LEARN MORE

Mission and Vision

Our Mission

To cost-effectively help institutions separate the Information Security role from the IT Operations Role and assist with developing a Compliance Management System that meets your institution’s needs.

 

Our Vision

To provide Compliance Management, Information Security Management, and Risk Management Services for all sizes of Financial Institutions nationwide. 

 

Ready to get started with reviewing your Information Security Efforts?

Ready to get started with reviewing your Information Security Efforts?

We’re here to help! Submit your information, and an AppliedCS representative will be in touch to discuss your goals.

We’re here to help! Submit your information, and an AppliedCS representative will be in touch to discuss your goals.

Presets Color
Download