The Virtual ISO: Best Practices for Maximum Effectiveness
The concept of a virtual information security officer (VISO) has been gaining more traction with regulators and financial institutions. In the past, regulators have said very little about institutions using a virtual ISO. But recently, the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), National Credit Union Administration (NCUA), and Federal Reserve System have expressed at least conditional approval of the idea. They indicated that virtual ISOs can be a viable option—as long as their activities are subject to the same oversight requirements as in-house ISOs.
These regulators caution financial institutions to be careful when considering the risks and benefits of using a virtual ISO. They advise institutions to do their due diligence prior to choosing an external ISO partner, just as they would before selecting any other key vendor or critical service provider. These and other best practices can help institutions strategically leverage a third-party solution to maximize the effectiveness of the virtual ISO role for their organization.
Approaches to Implementation
There are three broad approaches to implementing a virtual ISO solution: do-it-yourself (DIY), hybrid, and off-load. These models come with specific benefits and responsibilities that institutions should carefully consider. Here is a summary of each approach:
- DIY: This model typically provides some apps, tools, checklists, templates, and other pre-packaged components that allow institutions to fill in the blanks. One-on-one consultation with a human would be relatively limited and likely provided for an extra charge.
- Hybrid: This approach often includes a complete set of tools: apps, templates, pre-configured reports, and sometimes pre-configured policies. Some consultation is also provided, which makes this model better suited to institutions that require a higher level of support.
- Off-load: With this model, the virtual ISO vendor does most of the heavy lifting, providing extensive consultation, on-demand reporting, and other ISO requirements. However, as is the case with the hybrid model, the financial institution remains responsible for understanding and approving all actions taken by the vendor on behalf of the institution.
Our Virtual ISO Model
At Safe Systems, we offer a hybrid virtual ISO model—ISOversight™—that supports regulatory guidance on the ISO’s role as prescribed by the Federal Financial Institutions Examination Council (FFIEC). Our model is a moderately priced, middle-ground solution that is ideal for community banks and credit unions with limited internal resources. It combines a suite of integrated compliance apps with a dedicated lead consultant, allowing institutions to benefit from the expertise of our entire compliance department. What’s more, ISOversight provides institutions with a more objective, arms-length perspective on information security. The FFIEC Management Handbook states that “To ensure independence, the CISO/ISO should report directly to the board, a board committee, or senior management and not IT operations management.” Having these two critical roles formally separated makes it easier for the network administrator to be in more of a support function for any resident or virtual ISO, which can minimize audit or exam findings related to a possible “conflict of interest” or “concentration (or separation) of duties.”
Although the apps are useful tools that assist institutions with day-to-day tasks, the key to ISOversight’s effectiveness is the consultive and advisory piece provided by the ISOversight lead consultant. Our consultants are all information security subject matter experts, with decades of experience. We know what tasks need to be completed, with what frequency, and by what groups or individuals. We hold regular touchpoint meetings with the ISO, and often the network administrator and other third-party consultants, to ensure institutions stay on track. After each touchpoint, we also provide a comprehensive point-in-time summary report on the current status of their information security processes that the ISO can then present to the steering committee and the Board.
In addition, our consultants will often engage with clients as they prepare for and respond to an audit or exam, but it’s not unusual for us to consult directly with the auditor and examiner during the engagement. We encourage this, as it helps ensure the FI is providing auditors and examiners with exactly what they are requesting (no more and no less), which avoids unnecessary confusion, possible issue escalation, and over (or under) commitment by management. In addition to the advisory piece, the ISOversight apps keep things organized, making it easier for customers to manage their policies and procedures and all the associated documentation, and provide customizable email alerts when tasks come due.
To date, we have found that ISOversight has proven to be a great fit for many institutions and for many different reasons. For example, it is extremely helpful in situations where the IT administrator or ISO has recently left or has transitioned to a new role. Another good application for the virtual ISO role is when the size and complexity of the institution make the day-to-day information security responsibilities too burdensome, or when the institution just wants to free the existing admin or ISO from the uncertainty of the rapidly evolving regulatory landscape.
Whether it’s third-party risk management, business continuity management, cybersecurity, or strategic planning, guidance is clear that ISO’s have very specific responsibilities and should be held accountable for their completion. ISOversight assures all tasks the ISO is responsible for are addressed in a timely manner, that all current regulatory guidelines and best practices are met, and just as importantly that on-demand, stakeholder-specific documentation is available to confirm all related activities. Ultimately, selecting the right virtual model and the right vendor can often translate into “cleaner” audits and exams, resulting in a less stressful, more productive staff, a more compliant and more secure environment, and a better-informed management team.
To learn more about this topic, listen to our webinar on “The Virtual ISO: Best Practices for Maximum Effectiveness.”