In September 2016, the Federal Financial Institutions Examination Council (FFIEC) released an updated Information Security Booklet as part of the IT Examination Handbook. Among other contemporary concepts, the FFIEC placed an increased emphasis on the role of Information Security Officers (ISOs) in financial institutions. In section I.B Responsibility and Accountability (Page 5), the FFIEC provides a list of six key qualities of the ISO role. Here are the six qualities and a brief interpretation of how this can be applied in your organization.
1. Sufficient Authority
Each ISO should have sufficient authority to perform their assigned tasks. While the ISO ultimately reports to the board or senior management, they must also be a trusted employee (or group of employees) who is authorized to make organization-altering decisions on their own. In short, your ISO should be someone you can, and will, trust.
2. Stature within the Organization
Each ISO should have stature within the organization to perform their assigned tasks. In addition to being a trustworthy part of the organization, the ISO should also be a respected part of the organization. The role of the ISO is a position that should be held with esteem. This is a tone that is set from the top. If the board and senior management respect the role of the ISO, the organization's employees will respect it, as well.
Each ISO should have the knowledge to perform their assigned tasks. The ISO is tasked with oversight of the information security program. This is a broad-scoped topic which requires knowledge of the physical, technical, and administrative functions of the organization. If no one employee has sufficient knowledge to make decisions for each of these areas, it may be wise to consider appointing multiple individuals to fill the organization's ISO role as a committee.
Each ISO should have the background to perform their assigned tasks. Similar to knowledge, the ISO should have a history that involves information security. An employee can be trustworthy, respectable, and have knowledge of information security, but be lacking a foundation of experience. Information security is an ever-changing field. Appointing an ISO who does not have experience in the field is a risk to the organization's information security.
Each ISO should have continued training to perform their assigned tasks. Since the field is ever-changing, it should not be assumed that the ISO has all the training required to perform their duty. As the threat environment changes, as new controls are implemented, as the industry advances, the board and senior management should expect the ISO or members of the ISO team to further their education through training.
Each ISO should have the independence to perform their assigned tasks. It would be best to avoid conflicts of interest when selecting an ISO. For example, while knowledge of information technology (IT) is important, the ISO should not be the person responsible for implementing the organization's IT function. For community financial institutions, this is not always practical. So, if your organization finds independence difficult, it may be beneficial to appoint individuals from various departments to fill the organization's ISO role as a committee.
While the FFIEC may not be very prescriptive when it comes to appointing an ISO, by ensuring your organization's ISO is trustworthy, respectable, knowledgeable, experienced, interested in learning, and independent of other functions in the organization, your organization can lay the foundation for an effective information security program.