Pub. 12 2017-2018 Issue 5

WWW.NEBANKERS.ORG 18 TECH TALK UNDERSTANDING THE ROLE OF AN ISO Russ Horn, CISA, CISSP, CRISC, President, CoNetrix O VER THE PAST FEW YEARS, AS CYBERSECURITY THREATS HAVE RISEN, THE NEED FOR financial institutions to designate an information security officer (ISO) has increased. What does this ISO role look like? In this article, we will examine what the Federal Financial Institutions Examination Council (FFIEC) handbooks say about an information security officer. For the purposes of this article, we will refer to the chief information security officer, information security officer, and corporate information security officer similarly, and use the acronym ISO to encompass the collection of job titles. What is an information security officer? According to the FFIEC Information Security Booklet, financial institutions should “designate at least one informa- tion security officer responsible and accountable for implementing and monitoring the information security program.” In the past, many considered the ISO role a technology function; however, the most recent FFIEC Man- agement Booklet suggests, “the role has become a strategic and integral part of the businessmanagement team” and the ISO should now be “an enterprise-wide risk manager rather than a production resource devoted to IT operations.” What are the responsibilities of an ISO? According to the FFIEC Manage- ment Booklet, the ISO is typically re- sponsible for: • Implementing information se- curity strategies and objectives • Engaging with management related to information security risk • Working with management to protect information • Monitoring emerging informa- tion and cybersecurity risks and implementing mitigations • Informing the board and man- agement of information security and cyber risks • Championing security aware- ness and training programs • Participating in industry col- laborative efforts • Reporting significant security events What qualities should an ISO have? According to the FFIEC Information Security Booklet, the ISO should have the following qualities: • Sufficient authority to fulfill his or her role • Stature within the organization