Who should really be the Information Security Officer? What does it mean to be the Information Security Officer today?
When it comes to information and cyber security the responsibility falls at several levels including the Board of Directors and Senior Management. The Board is to set the tone, provide the direction, approve information security policies and designate an ISO. Senior Management is to ensure the Information Security Program is developed and maintained. The ISO; however, is responsible for overseeing and reporting on the management and mitigation of information security risks across the institution and is to be held accountable for the results of the oversight and reporting. The ISO is also responsible for seeing that the information security program is implemented and satisfies the regulatory Interagency Guidelines for Establishing Information Security Standards (GLBA). While once thought to be a technology function the role was typically delegated to the IT Manager or Officer but today the ISO is to be independent of IT operations and report directly to the board, board committee, or senior management. In fact the independence of the ISO is stated in not just one of the FFIEC IT Examination Booklets but two. The September 2016 Information Security Booklet states ‘to ensure appropriate segregation of duties, the ISO should be independent of IT operations staff and should not report to IT operations management’. The November 2015 Management Booklet states ‘the ISO should be an enterprise-wide risk management rather than a production resource devoted to IT operations’.
- Regulatory expectations
- Role of the ISO
- Typical Job Description
- Independence Mitigation Suggestions
Who Should Attend?
Board, Senior Management, Auditors, IT Management, Information Security Officer, Risk Officer, Compliance Officer, IT Committee, HR, anyone interested in the roles and responsibilities
Continuing Education (CE) Credits
This webinar is recommended for 2.5 CE Credit Hours. Each attendee will receive a Certificate of Attendance for self-reporting of CE Credits.View Delivery Options