Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s essential that banks and credit unions maintain segregation of duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the overall health of their operations.

From a regulatory standpoint, the separation (or segregation) of the ISO’s duties is the corrective action to a concentration of duties finding. Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program, according to the Federal Financial Institutions Examination Council (FFIEC) IT Handbook’s Information Security booklet. The booklet states: “ISOs should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management.”

The FFIEC also provides guidance on this matter in the IT Handbook’s Management booklet. “The institution should separate information security program management and monitoring from the daily security duties of IT operations. The IT department should have personnel with daily responsibility for implementing the institution’s security policy,” the booklet explains. “Responsibility for making changes and granting exceptions to policy should be segregated from the enforcement of the controls.”

Oversight Is the Key Issue

The importance of isolating the ISO’s duties comes down to oversight as separating the functions of the ISO and network administrator helps to create a clear audit trail and ensures that risk is being accurately assessed and reported to senior management. Without proper oversight reporting, financial institutions and their Boards lack a clear picture of their information security posture and can face other negative repercussions, such as downgrades in their Management IT component.

If, for instance, the ISO shares administrative duties and an administrator account, oversight dynamics can be undermined. As an example, the admin may have day-to-day responsibility for patch deployment, but the ISO is ideally suited to monitor and validate the overall patch management program—not the network administrator. The ISO has a higher-level, enterprise perspective of the impact of day-to-day activities; whereas the admin is at the ground level and may not always be capable of accurately assessing the full impact of performing, or not performing, a particular task. In addition, the definition of “oversight” is basically having another set of eyes validate the actions of someone else.

Understanding the Role and Duties of the ISO

The ISO’s oversight role primarily serves to ensure the integrity of a financial institution’s information security program. In essence, by segregating the admin/ISO duties, ISOs are the “other set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders.

The responsibilities of the ISO are clearly outlined in the FFIEC’s Information Security and IT Management booklets. Some of the ISO’s key duties include responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services.

However, in fulfilling these obligations, ISOs are expected to continually meet a high standard of information privacy and security. It’s imperative for institutions to not only assign the proper responsibilities to the ISO but to also select the right individual to assume the role.

Banks and credit unions often have difficulty designating an ISO with the appropriate technical and regulatory compliance expertise. Institutions in rural or small communities—where the talent pool is meager—might even have their chief financial officer or chief operations officer wear the hat for this “part-time” job. Regardless of these challenges, community institutions are expected to maintain the same level of segregation of duties as larger institutions. Size and complexity considerations may allow for some leeway in the timing of the separation, but not the ultimate outcome.

Leveraging a Virtual ISO

For every responsibility, there is an associated piece or set of documentation that must be provided to demonstrate adherence to and alignment with your formal written procedures. Not having an ISO with the requisite knowledge and/or time to effectively manage the assigned responsibilities of the position can result in control failures—and possibly policy or procedure non-compliance. In some cases, financial institutions may have a separation of duties “on paper”, but not so in practice. Again, the absence or presence of oversight is the key.

In fact, feedback from examiners indicates that because of the lack of oversight, there is a certain level of concentration of duties that cannot be adequately addressed internally. But institutions can remedy this problem by engaging a third-party, virtual ISO to add assurance that all responsibilities are being successfully addressed. A virtual ISO can provide another set of eyes and an independent layer of oversight on top of what the institution already has in place internally.

Virtual ISO services from Safe Systems, a national provider of fully compliant IT and security services, can be the ideal solution for community banks and credit unions. Safe Systems has proven experience in providing institutions with dependable technical expertise to ensure there is adequate separation of ISO-related duties within their organization—enhancing network security and significantly increasing regulatory compliance.