Pub. 12 2017-2018 Issue 5

NEBRASKA BANKERS ASSOCIATION 19 Russ Horn is the president of CoNetrix, a provider of information technology consulting, IT/GLBA audits and security testing, Aspire IT hosting, and the developer of tandem, a security and compliance software suite designed to help financial institutions create and maintain their Information Security Programs. Visit CoNetrix at www.CoNetrix.com. to influence and gain support for information security • Knowledge of the organization and information security • Background within the organization, industry, and information security • Adequate training in the fields of information security and cybersecurity • Appropriate independence to avoid conflicts of interest Can you havemore than one ISO? Yes, the FFIEC Information Security Booklet states “at least one information security officer,” implying an institution may have several information security officers. To whomshould the ISO report? According to the FFIECManagement Booklet, the ISO should “report directly to the board, a board committee, or senior management and not IT operations management.” In general, reporting structure should ensure the ISO has appropriate au- thority to carry out his or her responsibilities and should avoid conflicts of interest. Where can an ISO obtain training and education? The ISO should have sufficient knowledge and training to perform his or her assigned tasks. Numerous resources are available for ISOs. A few valuable resources include: • FFIEC IT Examination Handbook Info Base (www. ithandbook.ffiec.gov) – the goal of the FFIEC Info Base is to provide prompt delivery of introductory, reference, and educational training material on specific topics of interest to field examiners and employees of financial institutions. • CNX Institute (www.cnx.institute ) – the CNX Institute was developed to provide educational resources and a certification program of information security officers of financial institutions. • ISACA (www.isaca.org) – ISACA is a nonprofit, inde- pendent association that advocates for professionals involved in information security, assurance, risk man- agement, and governance. • (ISC) 2 (www.isc2.org ) - The International Information System Security Certification Consortium, or (ISC)², is a non-profit organization that specializes in information security education and certifications. • SANS (www.sans.org ) – The SANS Institute is a private, for-profit company that specializes in information secu- rity and cybersecurity training. 