One of the key lessons financial institutions learned from the COVID-19 pandemic is that regardless of new challenges and seemingly constant change, they were expected to ensure their customers and members continued to receive products and services uninterrupted. The past 13 months (and counting) have been a live exercise in operational resilience.
The current crisis—perhaps more than any even prior—has underscored the true scope of the Information Security Officer’s job. Technically, there are only eight broad areas of responsibility for ISOs outlined in the Federal Financial Institution Examination Council (FFIEC) IT Handbook’s Management booklet. But the actual scope of ISO accountability spans at least 36 elements. One of the key challenges and responsibilities of the ISO is stakeholder reporting, which is intricately linked to accountability. The relationship between responsibility and accountability is that while the ISO is responsible for making sure critical InfoSec tasks are completed, they are also accountable to the various stakeholder groups, which requires providing documentation that a task is being completed a certain way, with a certain group, or with a certain frequency.
To meet their accountability obligations, because information security is pervasive, ISOs must be engaged at all levels across the enterprise and in all lines of business. This requires understanding every place that data is stored, processed, or transmitted—whether it involves a customer or member, employee, or vendor. The ISO also needs to be aware of the latest emerging risks and be able to implement an effective mitigation strategy. Ultimately, ISOs need to be effective at translating information to the board, management committee, and IT auditors and examiners, in a manner in which these various stakeholders are best able to consume and comprehend it.
The expectations for ISOs also extend beyond the traditional area of ensuring the confidentiality, integrity, and availability of data. ISOs are also responsible for minimizing the disruption or degradation of critical services—which has emerged as the more urgent necessity during recent pandemic and cyber events.
Some of the early challenges ISOs faced during the pandemic ranged from the technical, such as securing virtual private network access, to the administrative, such as ensuring that employees have signed acceptable-use policies and remote-access agreements. Fortunately, we’ve found that most institutions adjusted well to the initial hiccups, resulting in minimal degradation in their services. However, cybersecurity promises to keep that pressure on for the foreseeable future, even post-pandemic.
Predictably, financial institutions are now seeing more exam scrutiny in three areas.
Business Continuity Management (BCM)
When the FFIEC implemented a BCM update in 2019, it created new terminology and new expectations that are finally beginning to emerge in exam findings.
The expectation for additional strategic planning is calling for more formal project management procedures. On the IT examination side, FIs are receiving requests for “pre-initiative” risk assessments, meaning that ISOs are expected to assess the risks of a project or initiative before they even agree to move forward and select a vendor. The FFIEC’s Development and Acquisition Handbook states that “Poor planning often contributes to projects failing to meet expectations.” This early stage is referred to as the “initiation” or “feasibility” phase of the project. Once the project clears this phase and moves forward, a vendor or vendors are selected, and vendor due diligence and on-going management can proceed. As the project proceeds to completion, management should be kept informed.
Board and Committee Reporting
Which is now focusing on not just what gets reported, but the frequency of the reporting as well. Suffice to say that the traditional annual updates won’t get it done going forward.
A New Approach to Virtual ISO Services
With ISOs being forced to wear multiple hats, some institutions are choosing to leverage a virtual ISO solution. Whether outsourced, insourced, or a hybrid virtual ISO model, each offers varying levels of service, flexibility, and support. Further still, several FIs are leveraging technology in tandem with security expertise to support their ISOs.
Safe Systems’ ISOversight is a proven risk management solution that provides complete and comprehensive accountability for the responsibilities of the ISO position. This third-party solution assigns a dedicated ISO oversight lead who understands the details of the institution’s environment and provides institutions with expert guidance and access to additional resources. ISOversight is an ideal asset for new (or frankly, overwhelmed) ISOs that may be struggling to keep up with the complex responsibilities of their position. And now with federal and state examiners tightening their level of scrutiny, ISOversight is proving even more crucial for institutions that need to enhance their information security expertise.
To learn more about how Safe Systems is supporting ISOs in the industry, listen to our webinar on “The ISO in 2021: A New Approach to New Challenges and Expectations.”