Understanding the Role of an ISO

By: (CISA, CISSP, CRISC)

Publication: The Nebraska Banker , Jan/Feb 2018

NBA Jan/Feb 2018 Issue Over the past few years, as cybersecurity threats have risen, the need for financial institutions to designate an Information Security Officer (ISO) has increased.

What does this ISO role look like?  In this article, we will examine what the Federal Financial Institutions Examination Council (FFIEC) handbooks say about an information security officer. For the purposes of this article, we will refer to the Chief Information Security Officer, Information Security Officer, and Corporate Information Security Officer similarly, and use the acronym “ISO” to encompass the collection of job titles.

 

What is an Information Security Officer?

According to the FFIEC Information Security Booklet, financial institutions should “designate at least one information security officer responsible and accountable for implementing and monitoring the information security program.”  In the past, many considered the ISO role a technology function; however, the most recent FFIEC Management Booklet suggests, “the role has become a strategic and integral part of the business management team” and the ISO should now be “an enterprise-wide risk manager rather than a production resource devoted to IT operations.”

What are the responsibilities of an ISO?

According to the FFIEC Management Booklet, the ISO is typically responsible for:

  • Implementing information security strategies and objectives
  • Engaging with management related to information security risk
  • Working with management to protect information
  • Monitoring emerging information and cybersecurity risks and implementing mitigations
  • Informing the board and management of information security and cyber risks
  • Championing security awareness and training programs
  • Participating in industry collaborative efforts
  • Reporting significant security events

What qualities should an ISO have?

According to the FFIEC Information Security Booklet, the ISO should have the following qualities:

  • Sufficient authority to fulfill their role
  • Stature within the organization in order to influence and gain support for information security
  • Knowledge of the organization and information security
  • Background within the organization, industry and information security
  • Adequate training in the fields of information security and cybersecurity
  • Appropriate independence to avoid conflicts of interest

Can you have more than one ISO?

Yes, the FFIEC Information Security Booklet states “at least one information security officer,” implying an institution may have several information security officers.

To whom should the ISO report?

According to the FFIEC Management Booklet, the ISO should “report directly to the board, a board committee, or senior management and not IT operations management.”  In general, reporting structure should ensure the ISO has appropriate authority to carry out his or her responsibilities and should avoid conflicts of interest.

As an ISO, where can I go for training and education?

The ISO should have sufficient knowledge and training to perform his or her assigned tasks.  There are numerous resources available for ISOs. A few valuable resources include:

  • FFIEC IT Examination Handbook Info Base (https://ithandbook.ffiec.gov/) – the goal of the FFIEC Info Base is to provide prompt delivery of introductory, reference, and educational training material on specific topics of interest to field examiners and employees of financial institutions.
  • CNX Institute (www.cnx.institute) – the CNX Institute was developed to provide educational resources and a certification program of information security officers of financial institutions.
  • ISACA (www.isaca.org) – ISACA is a nonprofit, independent association that advocates for professionals involved in information security, assurance, risk management and governance.
  • (ISC)2 (www.isc2.org) - The International Information System Security Certification Consortium, or (ISC)², is a non-profit organization which specializes in information security education and certifications.
  • SANS (www.sans.org) – The SANS Institute is a private, for-profit company that specializes in information security and cybersecurity training.