Pub. 7 2018 Issue 1

The CommunityBanker 16 B A N K B Y T E S Understanding the Role of an ISO By Russ Horn, CISA, CISSP, CRISC O ver the past few years, as cybersecurity threats have risen, the need for financial institutions to designate an Information Security Officer (ISO) has increased. What does this ISO role look like? In this article, we will examine what the Federal Financial Institutions Examination Council (FFIEC) handbooks say about an information security officer. For the purposes of this article, we will refer to the Chief Information Security Officer, Information Security Officer, and Corporate Information Security Officer similarly, and use the acro- nym “ISO” to encompass the collection of job titles. What is an Information Security Officer? According to the FFIEC Information Security Booklet, financial institutions should “designate at least one informa- tion security officer responsible and accountable for imple- menting and monitoring the information security program.” In the past, many considered the ISO role a technology func- tion; however, the most recent FFIEC Management Booklet suggests, “the role has become a strategic and integral part of the business management team” and the ISO should now be “an enterprise-wide risk manager rather than a production resource devoted to IT operations.” What are the responsibilities of an ISO? According to the FFIEC Management Booklet, the ISO is typically responsible for: • Implementing information security strategies and objectives • Engaging with management related to information security risk • Working with management to protect information • Monitoring emerging information and cybersecurity risks and implementing mitigations • Informing the board and management of information secu- rity and cyber risks