Jamie Davis, Education Manager
The separation between Information Security Officer (ISO) and the System Administrator (Administrator) is similar to the more popular separation of church and state. Just as religion and government are supposed to stay at arms length, the role of ISO and Administrator should work independent of each other. Per the FFIEC Information Security IT Handbook, “the security officers should be risk managers and not a production resource assigned to the information technology department.”1
The Administrator should be responsible for the day-to-day operations of the bank. He/she should be performing or scheduling updates to the software and hardware of the bank, and maintaining and monitoring the software the bank uses to administer the network, also falls under the Administrator’s umbrella. This person should have some technical knowledge and understand the relationship between servers, computers, switches, patch panels, and the way all the devices communicate with each other.
In many banks, several individuals take on these responsibilities. However, having too many people involved can leave the bank open to unnecessary security risks. It is similar to the saying “too many cooks in the kitchen”. For most banks, having one person who is responsible for the majority of the technical administrative duties is sufficient. This way, one person is able to understand the entire scope of the network, and therefore, make more informed decisions that affect the bank’s daily operations. The other advantage is that all issues are funneled through one person which makes it is easier to keep track of problems and learn from them. One Administrator also makes the bank more secure because this person has an administrative account that gives him/her access to all the files and folders on the network. In other words, the more people that have this access, the less secure a bank becomes.
The ISO has more of a”top level” view of the network. This person should understand how all of the hardware and software the network encompasses affects the security of the bank’s information. He/she should not be involved in the day-to-day technical aspects of the bank. The ISO is responsible for ensuring the security and confidentiality of all non-public information in any form (e.g., paper, digital, verbal, etc.) wherever it exists. The ISO doesn’t have to be a technical expert, but he/she should understand the processes and standards that are necessary to meet technical requirements.
The government uses checks and balances to keep any one branch from gaining too much power because unchecked power has the potential to harm individuals with actions that are not in the best interest of the masses. The same should be true for a bank. The ISO-Administrator relationship should contain its own checks and balances. For instance, from an ISO position, a network should be tightly secured with no possible data leakage. However, the Administrator should realize that though secured data is important, the bank still needs to be able to perform certain functions that inherently require risk. The two must strike a balance that will limit the security exposure of the bank, but still enable bank employees to accomplish necessary tasks in a timely and economic manner.
Having the roles of each position clearly defined can help the bank escape the danger of issues arising from one position exhibiting too much power over the other. Training of each position can help keep the bank safe and efficient. Safe Systems tries to assist banks with meeting this need by providing bank-specific training for both roles. Webcast and classroom sessions are tailored to match not only the software that banks are using, but also the needs of the bank from both a security and technical aspect. By using standard requirements and regulations that auditors seek when examining a bank, Safe Systems provides training for bank employees to help them evolve with the ever-changing technical requirements and security risks.
In order to keep a bank safe and running smoothly, not only should the ISO’s and Administrator’s responsibilities be defined, but they should be separated. However, to maintain continuity, it is important that both parties are trained in each other’s roles and responsibilities. This will allow for each person to not only see the needs of the bank, but also the appropriate actions that should be taken.
1Please see http://www.ffiec.gov/ffiecinfobase/html_pages/infosec_book_frame.htm