The Relationship Between the ISO and IT Administrator
IT administrators (IT admins) and information security officers (ISOs) have independent yet interdependent roles that are critical to their financial institution’s security, regulatory compliance, and overall success. Both individuals must maintain a separation of duties yet work closely together to achieve a common goal: ensuring their organization’s day-to-day activities appropriately support its policies and procedures.
ISO Responsibilities
ISOs oversee everything from network security (including cybersecurity) to vendor management, to strategic alignment of IT initiatives, to general information security regulatory compliance, all of which require having on-demand access to relevant, timely, and actionable information.
ISOs rely heavily on IT administrators to share data about the network, so they can translate that data into the information that will allow them to perform their duties effectively. Therefore, reports are an integral aspect of the IT admin-ISO relationship. ISOs depend on the data provided by IT admins to complete the enterprise-wide thinking and strategic planning that is needed to protect the bank’s information and other assets.
For example, an IT admin might extract data about the number of devices that have been updated with the latest patches and report this information to the ISO. The ISO would certainly be interested in the status of all devices but would most keenly be interested in the exceptions—the devices that have not been patched—as even a single unpatched device could represent a significant risk to the organization. In addition, the ISO must further evaluate the root cause behind the exceptions: do they represent a predictable lag between patch rollout and installation that will be resolved during the normal course of reboots; or do they represent a procedural deviation or deficiency? If the latter, the ISO could make a recommendation to revisit patch management procedures and practices
IT Admin Responsibilities
IT administrators are responsible for a variety of tasks, including managing computer systems, IT personnel, information systems, data backups, and network security—and providing ISOs with essential information on all those activities. Since IT admins may have a small staff—or might be the only IT person in the department—and have privileged access to the network, institutions must closely oversee their position. According to the FFIEC Information Security Handbook, Section II.C.7(c) Segregation of Duties:
“System administrators, for instance, have the most powerful role in the user access process and have unlimited access to an institution’s information assets and technology. Given this extensive access, management should evaluate the process for determining which individuals should be granted system administrator privileges. Such access should be appropriately monitored for unauthorized or inappropriate activity.”
The ISO in combination with the IT Steering Committee provides an important checks-and-balances process to ensure all systems are being effectively managed and maintained, and that status reporting is reliable.
ISO and IT Admin Cooperation
It’s important to remember that although the ISO and IT admin roles must be independent, they are also complementary since both entities are responsible and accountable for making sense of the vast amount of data flowing through their institution.
Because ISOs must utilize the information supplied by IT admins to produce the reporting necessary to periodically update senior management and the Board, and to authoritatively interact with IT auditors and IT examiners, this relationship must be cooperative. By maintaining a close working relationship, ISOs and IT administrators can make sure their actions support the institution’s IT strategic plan. Done properly, a successful ISO- IT admin relationship should in no way be adversarial, it should be mutually beneficial to both parties, as well as to the institution as a whole.
Obtaining Third-Party Support
Regulators place a high priority on the continuity and consistency of leadership for effective information security. At times, financial institutions will have ISOs and IT administrators leave their position either temporarily or permanently. When this happens, it can be beneficial to employ an internal committee/team or a trusted third party to help manage IT and information security.
A third-party partner can provide additional support while the ISO position is vacant, help a new employee transition into the role, or simply provide another set of eyes and an external layer of oversight to supplement what they already have in place. Collaborating with an external information security expert cannot only help the institution think more objectively, strategically, and proactively about risk during a time of transition but also when things are running smoothly. This can prevent problems later and position the institution to be stronger and more successful in the future.
Financial institutions can take advantage of a wide range of external resources designed to support the ISO and IT administrator roles. For example, ISOversight™, our virtual ISO service, offers community banks and credit unions a complete solution to help them master information security and manage compliance online. With ISOversight, institutions can make sure nothing gets overlooked, so they stay on track—which is vital with the complexities and constant changes in the technology and security environments.