Pub. 5 2016 Issue 1

15 s p r i n g | 2016 F E A T U R E business management team. The CISO should be an enterprise-wide risk manager rather than a production resource devoted to IT Operations. The CISO should also be the “CHAMPION” for the financial institu- tion’s security awareness and training programs. • Chief Information Officer (CIO) / Chief Technol- ogy Officer (CTO) – The updated IT Management Handbook goes well out of the way to ensure there is a separation between the CISO and CIO/CTO duties. The CIO/CTO position is being identified as the head of “IT Operations” in the IT Management Handbook, responsible for implementing and managing technol- ogy, while the CISO is a completely separate, inde- pendent function designed to manage risk and make decisions outside of IT Operations. The CIO/CTO duties include implementing the IT infrastructure, oversight of the IT budget, acquisition of new technol- ogy products and services, and more. IT Operations versus Risk Management As mentioned in the Governance section, the IT Risk Management section reiterates that the Information Security Program and IT Risk Management should be separate from IT Operations, especially for larger institutions. The CISO should be responsible for the Information Security Program and IT Risk Management processes, and ensure that IT Operations are in compliance with the ISP. The CISO also needs to ensure that risk assessments of new products, emerging technologies, and information systems are completed BEFORE such new technologies are integrated into the institution’s production network or offered to customers. Additionally, Third Party Management and Business Continuity are integrated into the rest of the updated IT Man- agement Handbook on numerous different fronts, particularly in Risk Management, which is new for the guidance but some- thing that regulators have been talking about since February (Appendix J update to the FFIEC BCP Handbook). T he final major update to the FFIEC IT Management Handbook builds out the Risk Management process a bit more prescriptively for financial institutions. The Risk Management section discusses Human Resources, IT Audit, Compliance, Budgeting, and IT Strategic Planning before breaking down expected components of an IT Risk Assessment. The updated IT Management Handbook states that the IT Risk Assessment process should encompass the identification of risk (inherent risk), measurement of risk (metrics), mitiga- tion of risk (residual risk), and monitoring of risk (reporting upstream and tracking remediation). IT Risk Assessment needs to be quantifiable and measurable, and needs to drive decisions at your institution. A big chunk of this update is ac- tually dedicated to outlining IT Risk Assessment and Informa- tion Security Program expectations (Sections II and III), so be sure to dig in to this section. Other Notable Items Section III (Risk Mitigation) outlines major components that regulators will be looking for in your Information Security Program, including Third Party Management, Business Conti- nuity, Software Development and Acquisition, and Insurance. Appendix A outlines major changes to the Examination Procedures that regulators will use to review your Gover- nance and Risk Management practices at your institution. There were previously nine (9) Objectives; there are now 14 IT Management Examination Procedure Objectives. New addi- tions include major updates to Objective 2 (Board oversight), Governance and defined roles and responsibilities, review and oversight of controls (IT Audit), and six (6) Objectives around the IT Risk Management process. Summary First of all, SBS recommends you sit down with this updated FFIEC IT Management Handbook and give it a good once-over. It’s a lot to digest – 65 pages to be exact. But there is a lot of good stuff in there, particularly as it relates to setting up your institution to properly manage IT and understanding regulatory expectations of IT Risk Management. There are three (3) major takeaways to keep in mind: 1. The Board of Directors and Senior Management are going to be held more responsible for understanding IT and Cybersecurity risk than ever. Directors will be expected to understand IT risks enough to make good decisions. 2. There is a clear separation of IT Risk Management (CISO) and IT Operations (CTO/CIO) according to this guidance. Ensure you have independence around the development and implementation of your Information Security Program and IT Risk Assessment from the day-to-day IT Operations implementation processes. 3. Your IT Risk Management process needs to be quantifi- able and involve metrics. The ultimate goal of the IT Risk Management process is to help make decisions that can flow upstream into the institution’s Enterprise Risk Management process. For more information, email sbsinstitute@protectmybank. com, visit https://www.protectmybank.com/sbsinstitute , or call (605) 269-0909, and let us know what we can do to help!