Pub. 7 2018 Issue 1

17 s p r i n g | 2018 • Championing security awareness and training programs • Participating in industry collaborative efforts • Reporting significant security events What qualities should an ISO have? According to the FFIEC Information Security Booklet, the ISO should have the following qualities: • Sufficient authority to fulfill their role • Stature within the organization in order to influence and gain support for information security • Knowledge of the organization and information security • Background within the organization, industry and informa- tion security • Adequate training in the fields of information security and cybersecurity • Appropriate independence to avoid conflicts of interest Can you have more than one ISO? Yes, the FFIEC Information Security Booklet states “at least one information security officer,” implying an institu- tion may have several information security officers. To whom should the ISO report? According to the FFIEC Management Booklet, the ISO should “report directly to the board, a board committee, or senior management and not IT operations management.” In general, reporting structure should ensure the ISO has ap- propriate authority to carry out his or her responsibilities and should avoid conflicts of interest. As an ISO, where can I go for training and education? The ISO should have sufficient knowledge and train- ing to perform his or her assigned tasks. There are numer- ous resources available for ISOs. A few valuable resources include: • FFIEC IT Examination Handbook Info Base (www. ithandbook.ffiec.gov) – the goal of the FFIEC Info Base is to provide prompt delivery of introductory, reference, and educational training material on specific topics of interest to field examiners and employees of financial institutions. • CNX Institute (www.cnx.institute) – the CNX Institute was developed to provide educational resources and a certification program of information security officers of financial institutions. • ISACA (www.isaca.org) – ISACA is a nonprofit, indepen- dent association that advocates for professionals involved in information security, assurance, risk management and governance. • (ISC)2 (www.isc2.org) - The International Information System Security Certification Consortium, or (ISC)², is a non-profit organization which specializes in information security education and certifications. • SANS (www.sans.org ) – The SANS Institute is a private, for-profit company that specializes in information security and cybersecurity training. Russ Horn is the president for CoNetrix. CoNetrix is a provider of information technology con- sulting, IT/GLBA audits and security testing, Aspire IT hosting, and the developer of tandem, a security and compliance software suite designed to help financial institutions create and maintain their Information Security Programs. Visit CoNetrix at www.CoNetrix.com . The financial statement notes provide additional information from the vendor to clarify and disclose information regarding company processes, accounting procedures, and potential anomalies in the financial statements. B A N K B Y T E S