Tag: VISO

08 Oct 2024

Secure Our World: Join Us in Celebrating Cybersecurity Awareness Month

Cybersecurity Awareness Month, held annually in October, is a vital international initiative designed to raise awareness about the importance of being safe and secure online. This year’s theme, “Secure Our World,” continues from 2023 and highlights simple yet effective ways for individuals, families, and businesses to protect themselves from cyber threats.

The Cybersecurity and Infrastructure Security Agency (CISA) leads the federal efforts for this campaign. They work closely with the National Cybersecurity Alliance (NCA), known for their @staysafeonline initiative, to develop and disseminate resources that educate the public on key cybersecurity practices.

Cybersecurity Tips

Here are some essential tips provided from this year’s Cybersecurity Awareness Month campaign:

  • Recognize and Report Phishing: Learn to identify phishing attempts by familiarizing yourself with their common indicators, such as suspicious links or unexpected attachments. Resist the urge to click on these and ensure you delete phishing messages promptly.
  • Use Strong Passwords: Enhance your account security by choosing passwords that are long, random, and unique. This trifecta helps protect against unauthorized access.
  • Turn On Multi-Factor Authentication (MFA): Activate MFA on all your accounts, including email, social media, and financial services. This adds an extra layer of security, making it significantly harder for cybercriminals to gain access.
  • Update Software: Keeping your devices updated with the latest security patches is crucial. If automatic updates are not available, regularly check for updates to ensure your software is secure.

Throughout October, stay engaged and increase your cybersecurity awareness by visiting the National Initiative for Cybersecurity Careers and Studies (NICCS) Cybersecurity Awareness Month page for resources and tools. You can also follow updates using the #CybersecurityAwarenessMonth on social media.

Cybersecurity Resources

Safe Systems is also providing resources to help raise cybersecurity awareness, knowledge, and understanding for our community banks and credit unions.

Please explore some of our latest offerings:

  • M365 Immersion Training – Register for this complimentary, four-part series on Microsoft 365 (M365) security. Led by certified engineers, it covers essential topics including Conditional Access Policies (CAPs), Intune management, Azure AI governance, and more. Each session delivers practical insights and actionable knowledge, ensuring robust security practices for institutions using M365 core technologies. Reserve your spot.
  • MFA Quiz – When implemented correctly, MFA can be the single most effective tool to protect against remote attacks. Test your knowledge of how MFA works and why it is so important.
  • Cybersecurity Outlook Survey – We surveyed community banks and credit unions to gain more insight into their cybersecurity challenges, priorities, best practices, and how they manage cybersecurity preparedness. Discover their responses.

For more resources, visit our Resource Center, blog site, or our interactive Compliance Guru platform which provides reliable answers to your IT, cybersecurity, and information security questions. You can also follow us on our social media channels – Facebook and LinkedIn for timely news and helpful articles throughout the year.

When it comes to investing in security, Safe Systems understands that protecting your community bank or credit union can be complex and confusing. That’s why we offer multi-layered security solutions to protect vulnerability points both inside and outside your network and we have certified engineers who specialize in Microsoft cloud security.

Please join us this month in raising awareness and taking advantage of the many available resources to help your institution secure its digital environment and prevent cyber threats.

01 Aug 2024

Effective Governance and Communication: Enhancing Your FI’s Resiliency

With the rise in cyber threats and the increasing complexity of regulatory requirements, Information Security Officers (ISOs) face unprecedented challenges. This blog focuses on the importance of governance and effective communication as a key strategy for enhancing operational resiliency.

The Gramm-Leach-Bliley Act (GLBA) first brought to the forefront the importance of establishing the role of an ISO for financial institutions (FIs). However, the significance of this role has only magnified as information technology has become essential to every department and business function within an FI. The exposure of customer non-public information (NPI) has exponentially increased with the widespread adoption of online transactions, mobile banking, and third-party relationships.

Managing information security risks effectively requires collaboration. Each stakeholder group, including end-users, IT management, IT Steering Committee, Executive Management, Risk/Audit Committees, and the Board of Directors, plays a crucial role in supporting and executing information security standards. Segregating duties between IT management and the ISO is one of the biggest challenges for many FIs. For those that lack a formal infrastructure, the FFIEC provides “visibility” and “accountability” guidelines showing how an ISO can and should collaborate with IT management.

In addition, ISOs must break down silos and communicate clearly with all the various stakeholders. This effort requires access to relevant, actionable, and up-to-date information that aligns with each group’s distinct reporting needs, engagement level, and technical understanding.

ISOs may also need to broaden the scope and frequency of their communications. For instance, it is a good best practice to meet with the Board more frequently than once a year. Board members will benefit from periodic discussions with the ISO and IT management to accurately and quickly identify potential issues related to risk such as inconsistent server backups, software patches, and systems nearing EOL. A comprehensive understanding of Human Resources standards and their impact on information security is also important to ensure that policies and procedures are consistent across the organization.

To facilitate and ensure these meetings and conversations are effective, ISOs should rely on industry-standard frameworks that can be customized for audience-based agendas and repeatable tasks. Essentially, ISOs should be transparent in communicating changes that could result in increased risk to NPI.

Overall, this can be a challenging effort, especially for smaller banks and credit unions who may not have the expertise or the time to ensure a consistent approach to governance and communication. For this reason, many FIs choose to partner with a reliable Virtual Information Security Officer (VISO) service. These third-party services provide strategic guidance and the necessary oversight to ensure comprehensive information security management.

Safe Systems ISOversight® is a VISO service that includes a suite of applications, real-time reporting, and knowledgeable FFIEC risk-management professionals who assist with policy implementation, third-party relationship management, BCP, cybersecurity risk assessments, incident response and BCP testing, and other required tasks that are customized for each FI. They also provide ongoing coaching and accurate reporting to help with communication tailored to each stakeholder group. These collaborative efforts will go a long way to ensure operational resiliency and reduce reputation risk.

For a deeper understanding of governance and communication within the ISO role and to gain more insights into enhancing operational resiliency, refer to the complete white paper, Operational Resiliency: Elevating the Role of the ISO.

18 Jul 2024

Ask the Experts: Get Reliable Answers to Your Risk Management Questions on ComplianceGuru.com

We are excited to announce the relaunch of ComplianceGuru.com. For over a decade, Safe Systems’ Compliance Guru site has been a trusted resource for community banks and credit unions providing essential insights on regulatory trends and compliance best practices.

We’ve reimagined it to be more interactive, allowing you to ask questions directly to our FFIEC risk and compliance experts, addressing risk management topics and concerns most relevant to your institution. You can also learn what your banking peers are concerned about and leverage the advice from our team to strengthen your security posture.

Since launching the new site, our Gurus have answered questions about Ransomware Self-Assessment Tool (RSAT) 2.0, NIST Cybersecurity Framework (CSF) 2.0, and work area security.

Here is a sample of what they’re saying about these important topics:

RSAT 2.0: A Proactive Approach to Ransomware Threats

Financial institutions are increasingly targeted by sophisticated ransomware attacks. To mitigate these risks, the RSAT (Ransomware Self-Assessment Tool) was developed to support banks and credit unions in their cybersecurity efforts. Originally released in October 2020, this tool was a collaborative initiative by the CSBS (Conference of State Bank Supervisors), the BECTF (Bank Electronic Crimes Task Force), and the U.S. Secret Service.

The updated version, RSAT 2.0, released in October 2023 was designed to address emerging ransomware attack vectors.

Some key questions surrounding RSAT 2.0 that financial institutions have been asking:

  • Are financial institutions required to complete RSAT 2.0?
  • Who should be involved in completing this self-assessment tool?
  • How does RSAT 2.0 differ from its predecessor?

NIST CSF 2.0: Modernizing Cybersecurity Frameworks

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a foundational guideline for improving the security and resilience of critical infrastructure. It provides a structured approach for assessing your institution’s security posture across five components: Identify, Protect, Detect, Respond, and Recover. NIST CSF 2.0 represents the latest iteration, incorporating lessons learned and adding a sixth component, Governance.

Here are some important questions you and other institutions may be asking about CSF 2.0:

  • How can CSF 2.0 address current cybersecurity challenges?
  • What resources are available to implement CSF 2.0?
  • How can CSF 2.0 be integrated into your institution’s existing risk management framework?

Compliance Guru offers reliable and informed answers to these and other IT, cybersecurity, and information security challenges. It is an invaluable resource offering guidance and tools to help community banks and credit unions like yours enhance cyber resilience.

We invite you to subscribe to this new platform to stay informed and discover best practices that better position your institution to protect customer data and ensure compliance with important federal and state regulatory guidance.

And by the way, we’re offering a limited number of $50 gift cards* to valid U.S. financial institutions that submit risk management questions on ComplianceGuru.com. So, submit your questions today!

Ask the Gurus for a Chance to win!

* Contest Rules

To qualify for the $50 gift card, your financial institution must be a valid U.S. financial institution that submits a question on ComplianceGuru.com. Questions must be relevant to risk management topics, including but not limited to IT, cybersecurity, information security, and third-party.

06 Jun 2024

The Expanding Role of ISOs – Enhancing Security & Risk Management

For financial institutions of all asset sizes and complexity of products and services, maintaining cyber preparedness is a daunting task against increasing cyber threats, reliance on third-party vendors, and ongoing personnel changes.

ISOs are tasked with augmented duties to enhance visibility and accountability in protecting non-public information and financial transactions across all business lines. This article highlights some of the evolving complexities of the ISO role, including the heightened management of third-party relationships, improved reporting to boards and stakeholders, and thorough risk assessments of projects and third-party entities. For a more in-depth examination of this topic, read our new white paper, Operational Resiliency: Elevating the Role of the ISO.

Third-party Risk Management

In response to the evolving reliance on trusted third-party service providers, federal bank regulatory agencies released new third-party risk management guidance in June 2023. This guidance is intended to help financial institutions manage risks associated with third-party relationships more effectively, including those involving key technology service providers like financial technology (FinTech) partners. It emphasizes risk management throughout the life cycle of third-party relationships, from planning and due diligence to contract negotiation, ongoing monitoring, and termination.

The heightened regulatory emphasis on third-party risk management requires additional time and attention to vet and oversee these relationships effectively. Institutions are increasingly adopting automated third-party management tools as a strategic solution to aid the Information Security Officer and other management personnel. These application-based tools facilitate tasks such as risk ranking, control assignment, and due diligence reviews to designated “vendor managers” within particular departments or functions. Utilizing these tools is advantageous in facilitating a consistent approach among stakeholders to manage the risk of third-party relationships.

Governance and Communication

Clearly defined IT and information security roles and responsibilities are required for every Financial Institution. Information technology is now a part of every department and function within a financial institution and integrates into every facet of operations. Effective management necessitates breaking down silos between IT and ISO roles and fostering regular and clear communication to ensure everyone is aligned on the security posture of the organization. Strategies ISOs can use include frequent updates to key internal stakeholders, leveraging external Virtual ISO (VISO) services, and adopting consistent frameworks for periodic, meaningful communication.

Strategic Initiatives Risk Assessment

The ISO also must play a role in the institution’s strategic IT planning. They should be involved early in assessing risks associated with new initiatives and third-party services, ensuring alignment with overall business goals and adequate preparation for potential cyber threats or operational disruptions.

As institutions navigate these increasingly complex regulatory and cyber landscapes, the role of the ISO has never been more critical. With the growing reliance on technology and third-party services, ISOs must rise to the challenge of safeguarding sensitive information and ensuring compliance with evolving guidelines.

For a deeper understanding of the complexities and evolving expectations surrounding an ISO in today’s dynamic environment, read the complete white paper: Operational Resiliency: Elevating the Role of the ISO.

30 May 2024

Beyond the FFIEC CAT: Evolving Strategies for Cyber Resilience in 2024

As cyberattacks continue to increase in frequency and impact, incorporating a dynamic cybersecurity strategy and building resilience to cyber-attacks is an important objective for all Financial Institutions (FIs). As a part of our country’s critical infrastructure, banks and credit unions are held to high regulatory standards for keeping NPI and financial transactions secure. This is why in 2015 the Federal Financial Institutions Examination Council (FFIEC) developed a Cybersecurity Assessment Tool (CAT) with FIs in mind. For the past nine years, many FIs in the United States have used the CAT annually to identify changes in inherent risk that may lead to cyber vulnerabilities. They also use it to assess both control maturity and cybersecurity readiness over time. The CAT continues to be an acceptable cyber preparedness tool, but many FI’s are wondering, “is the CAT enough?”

Cybersecurity Resource Guide

In 2018, the FFIEC issued a Cybersecurity Resource Guide to expand acceptance of other cybersecurity frameworks and resources, including websites, tools, and methodologies like NIST Cybersecurity Framework 1.0. Designed to strengthen resiliency, it was updated in 2022 to address changes in the cyber landscape and emerging threats such as ransomware. One of the resources in the updated guide is the Ransomware Self-Assessment Tool (RSAT). The Bankers Electronic Crimes Task Force, State Bank Regulators, and the United States Secret Service collaboratively developed the RSAT. This question-based tool assists FIs in evaluating their efforts to mitigate specific ransomware risks and identify security gaps.

The overarching message of the FFIEC’s Cybersecurity Resource Guide is that FI’s should not “over-rely” on a single methodology for measuring control maturity and cybersecurity preparedness but should integrate a dynamic cyber security strategy for long-term resilience.

NIST Cybersecurity Framework (CSF) 2.0

In February 2024 another update was released, NIST CSF 2.0, which underscores the importance of a solid governance structure within an organization’s cybersecurity strategy. The release includes a sixth function, ‘Govern,’ which highlights the importance of developing well-defined internal management roles and clear policies and procedures to assess and prioritize risk. This function incorporates the increased focus from regulatory agencies on third-party risk management and provides implementation examples.

The emphasis on governance is a reminder of the ongoing challenge that many financial institutions, particularly smaller community banks and credit unions, face with dedicating resources to the role of the Information Security Officer. The updated CSF presents an opportunity for institutions of all sizes to re-assess inherent cyber risks and consider internal infrastructure changes that could impact cyber resiliency. This type of re-evaluation is critical especially when significant roles in IT or information security management frequently change due to retirement, leave, or other job shifts. By emphasizing governance and risk management policies, CSF 2.0 provides banks and credit unions a framework to evaluate their cybersecurity preparedness, while also providing a strategic edge in the continuous fight against cyber threats.

As financial institutions continue efforts to combat the growing number and sophistication of cyberattacks, a renewed cybersecurity strategy based on the use of the FFIEC CAT along with other enhanced resources such as the RSAT 2.0 and NIST CSF 2.0 could make significant strides to improve cyber resiliency.

For more information on these and other critical factors of cybersecurity management, download and watch our recent webinar, Protect, Detect, and Respond: Prioritizing Cybersecurity Management in 2024.

05 Aug 2022
The Importance of Succession Planning

The Importance of Succession Planning to IT and Information Security Resiliency

The Importance of Succession Planning

Change can be challenging—especially when it involves the transition of IT management and other key personnel. That’s why it’s imperative for banks and credit unions to be proactive about succession planning.

While regulators expect institutions to have a formal succession plan for key leadership roles, having a strategy for filling critical positions is a matter of practicality. If an IT administrator or information security officer (ISO) is not in place, or not available to complete the tasks, reports, and other responsibilities of these roles, then it could lead to cyberattacks and other security issues. This, in turn, can have dire consequences on a financial institution’s operations, risk-profile compliance, and reputation.

Succession Planning Strategies

Institutions can ensure IT and information security resiliency by having an effective plan for managing the absence of key security-related personnel. Depending on their size, type, and goals, they can adopt any of these approaches to succession planning:

  • Proactively assess internal talent and then orient the most suitable individual to serve as an alternate or backup for various IT admin or ISO responsibilities. The ISO alternate, for instance, should train with the existing ISO, attend ISO oversight meetings, and present appropriate information to executive management and the board. If the ISO leaves, the backup individual should be equipped to assume the role temporarily or even for the long term if necessary. Training a staff member to perform IT or information security duties is not only pragmatic, but it complies with regulatory guidance.
  • Implement an internal committee or team approach to managing IT and information security during a temporary or permanent personnel change. The committee can facilitate the IT and information security program in several ways. It can maintain processes until an outside replacement is installed or support an internal successor who is transitioning into the position. The committee can also provide coaching to keep the replacement from becoming overwhelmed by the complexity and assortment of tasks required.
  • Partner with a trusted third party to obtain the additional expertise needed to meet IT and information security benchmarks. This approach provides an accountability partnership role and a regular framework that clearly defines key responsibilities and streamlines processes. This strategy can ensure institutions have suitable resources to ease the transition of key personnel to enhance IT and information security resiliency.

Leveraging a Virtual ISO

A virtual ISO can be an ideal solution for institutions seeking to enhance IT and information security resiliency. This third-party service can not only support succession planning, but it can also serve as an extension of the internal ISO providing an external layer of oversight and an objective point of view — which allows institutions to approach risk more strategically and proactively.

ISOversight from Safe Systems, for instance, is a complete solution that makes it easier for community banks and credit unions to master information security and compliance online. This virtual ISO solution—which is especially for financial institutions—offers valuable access to applications and resources, cyber risk reporting, and compliance experts. With ISOversight, banks and credit unions can be confident that all their ISO-related requirements are completed on time, documented properly, and reported to the appropriate parties. Learn more about how to enhance your institution’s security posture during tough times. Read our white paper on “Building IT and Information Security Resiliency in Chaotic Times.”

16 Jun 2022
Choosing a Virtual ISO (VISO)

Choosing a Virtual ISO (VISO)

The ISO’s role is becoming increasingly more complex and challenging due to growing cyber security threats, the ever-changing technology environment, and expanding regulatory expectations. It can be difficult for banks and credit unions to stay on top of information security issues. That’s why today even the smallest institutions often engage a trusted third party for help. A virtual information security officer (VISO) service can help institutions effectively manage information security so that nothing gets missed or falls through the cracks.

Common Types of VISO

The most common types of virtual ISO solutions available to institutions are the “do-it-yourself” (DIY), “hybrid,” and “offload” models. The DIY option is designed for institutions that have a solid grasp of the ISO’s job functions and just need some basic tools and limited consultation to enhance their efforts. This model is the least expensive but also requires more of a time commitment from your internal resources. The hybrid model may typically include an assortment of apps, templates, pre-configured reports, and other tools, along with a broader and deeper level of consultation. Resource requirements from the institution side are greatly reduced compared to DIY, but typically greater than offload. Accordingly, costs for a hybrid approach are somewhere between the two other models. The hybrid model also tends to be the most flexible and is designed to evolve with the changing needs of the institution. Finally, the offload approach attempts to provide a “turn-key” solution wherein the virtual ISO partner effectively assumes most or all the responsibilities of your internal ISO. This approach requires the least involvement from your institution (which could introduce other challenges…see the “Examiner Support” section below), but it is usually also the most expensive. As this model is the most inclusive, the knowledge and experience of the third-party provider are your most important consideration. The offload approach typically includes unlimited consultation, on-demand reporting, participation in committee meetings, etc.

Key Factors to Consider

When choosing a virtual ISO, there are some important aspects to consider to ensure your institution selects the best option. Keep in mind that each virtual ISO model comes with a certain level of flexibility and engagement for a specific price. The key is to carefully balance the service and costs against your specific internal resource gaps to determine the best solution for your situation. Ideally, whatever solution you choose should have the flexibility to dial up or down the level of service, depending on how your situation may change in the future.

Whatever virtual ISO solution you opt for, it should provide documentation and reporting in a form that the various stakeholders can understand. Each one of the many ISO responsibilities has one or more reports or documents that support the requirement to hold the ISO accountable for its responsibilities. The board of directors, the steering committee, the IT auditors, and examiners, all have different perspectives and comprehension levels and may require different degrees of detail for the same information. For instance, boards and examiners might require higher-level data, whereas steering committees and IT auditors might require more detailed documentation for their purposes. You should have access to on-demand reporting with relevant, actionable, up-to-date information that matches the level of engagement for the various stakeholder groups.

The regulatory guidance on ISO responsibilities includes terms such as “engaging with” and “working with” management in the individual lines of business to understand the risks of various initiatives. They also expect the ISO to “implement” the information security strategy as defined by the board, and to periodically “inform” the board and senior management on the status of the program. In the case of a virtual ISO, your hybrid or offload third-party partner needs to have an excellent understanding of enterprise-wide strategic objectives, and a good working relationship with management in all lines of business and within the different departments within your organization.

Remember, as with all outsourced activities, even though you can delegate some (or even most) of the heavy lifting to a virtual ISO, you cannot outsource responsibility. Your institution still must maintain a strong oversight effort to ensure that all ISO duties are completed, documented, and reported appropriately. Higher levels of third-party reliance require correspondingly higher levels of oversight. According to the Federal Financial Institutions Examination Council’s Outsourcing Technology Services booklet you are obligated to oversee all activities, whether you perform them, or a third-party performs them on your behalf.

Examiner Support

The examiner feedback we have seen to date strongly supports the idea of financial institutions implementing a virtual ISO solution “…as long as it’s done correctly.” That means focusing on all the responsibilities and accountabilities of the role and making sure sufficient documentation and appropriate oversight and reporting are built-in. Doing it correctly also means making sure the in-house ISO is not so detached from the processes and procedures that they cannot authoritatively explain them to a stakeholder, which can be the primary downside of the “offload” model. The decision-making process is the most important concern for regulators. Your solution should allow you to offload enough to make the ISO’s job easier and more organized, but not so much that they become disconnected and lose operational awareness of their current threat and control environment.

In conclusion, choosing the right type of virtual ISO service allows institutions to provide the appropriate level of insight and oversight for their in-house ISO. This can help them to be better equipped to manage information security activities, meet evolving industry standards, and adjust to tightening regulatory requirements, all in an increasing cyber threat environment.

At Safe Systems, we offer a virtual ISO service based on the above-described hybrid model. ISOversight™, is a VISO service that is flexible to accommodate the changing needs of community banks and credit unions. The ISOversight service includes a full suite of applications to manage everything from vendors to business continuity, along with all associated information security policies and risk assessments. This is a cost-effective, comprehensive, and flexible solution that makes information security management much more efficient. For more insight about the most common virtual ISO models and how to determine which one may be right for you, view our webinar on “Is a Virtual ISO Right for You?”

09 Jun 2022
Planning for Safety, Soundness, and Resiliency

Planning for Safety, Soundness, and Resiliency

Planning for Safety, Soundness, and Resiliency

With the rise in cybercrimes and increased regulatory scrutiny, having a board-approved IT Strategic Plan is often not enough to ensure cyber resiliency. It’s essential for financial institutions to develop a robust IT management and information security infrastructure. The following excerpts from our recent white paper on “Building IT and Information Security Resiliency in Chaotic Times,” show how institutions can strengthen and support these key management roles to make better technology and security decisions, improve visibility, and reduce vulnerability. In addition, institutions can use strategic partners and risk management solutions to bolster resources they already have in place and enhance their overall cyber resilience.

1. Separating ISO Duties

Examiners have a strong interest in the IT administrator and ISO roles, which are interconnected and integral to an institution’s safety and soundness. However, many community banks and credit units still struggle with meeting the FFIEC requirements for segregating these positions. The importance of separating ISO duties relates to creating additional oversight to verify activities and maintain accountability to management and the board. Separating these functions also helps to build a clear audit trail to ensure risk is being accurately assessed and reported to senior management. While the ISO functions in an oversight capacity of the IT administrator, the ISO also relies heavily on the administrator to share data that can be used to recommend steps to improve the institution’s security posture. Therefore, the IT admin-ISO relationship must also be cooperative to ensure their daily activities support the organization’s policies and procedures.

2. Being Proactive about Succession Planning

Regulators expect financial institutions to have a formal succession plan for the ISO, IT administrator, and other key leadership roles, as indicated by the uptick in exam findings related to this issue. Depending on their size, type, and goals, institutions may employ different approaches for succession planning. They can identify and train someone to serve as an alternate or “backup” for various IT or ISO responsibilities, incorporate an internal committee or team approach for managing IT and information security, or use the support of a trusted third party to maintain IT and information security standards.

3. Partnering with a Trusted Third Party

An outside expert can provide an objective perspective that can help institutions think beyond the day-to-day issues and consider risk more proactively and strategically. Bringing in a technology partner on the front end—when things are going well—can also position institutions to be stronger and more successful in the future. For instance, a virtual information security officer (VISO) can expand an internal ISO’s capabilities and increase the likelihood that all ISO-related tasks are completed in a timely and efficient manner. A VISO can also provide an external layer of oversight to enable the required separation of duties.

ISOversight®, our virtual ISO service, makes it easier for financial institutions to master information security and manage compliance online. ISOversight is a comprehensive solution with a full suite of applications and resources, cyber risk reporting, and dedicated compliance specialists. It’s uniquely designed to help banking institutions enhance their strategies to improve IT management, information security, and compliance. With ISOversight, community banks and credit unions can ensure that no information security issues fall through the cracks—especially during challenging times.

For more information about how to enhance your institution’s security posture, read the full white paper on “Building IT and Information Security Resiliency in Chaotic Times.”

19 May 2022
The Relationship Between the ISO and IT Administrator

The Relationship Between the ISO and IT Administrator

The Relationship Between the ISO and IT Administrator

IT administrators (IT admins) and information security officers (ISOs) have independent yet interdependent roles that are critical to their financial institution’s security, regulatory compliance, and overall success. Both individuals must maintain a separation of duties yet work closely together to achieve a common goal: ensuring their organization’s day-to-day activities appropriately support its policies and procedures.

ISO Responsibilities

ISOs oversee everything from network security (including cybersecurity) to vendor management, to strategic alignment of IT initiatives, to general information security regulatory compliance, all of which require having on-demand access to relevant, timely, and actionable information.

ISOs rely heavily on IT administrators to share data about the network, so they can translate that data into the information that will allow them to perform their duties effectively. Therefore, reports are an integral aspect of the IT admin-ISO relationship. ISOs depend on the data provided by IT admins to complete the enterprise-wide thinking and strategic planning that is needed to protect the bank’s information and other assets.

For example, an IT admin might extract data about the number of devices that have been updated with the latest patches and report this information to the ISO. The ISO would certainly be interested in the status of all devices but would most keenly be interested in the exceptions—the devices that have not been patched—as even a single unpatched device could represent a significant risk to the organization. In addition, the ISO must further evaluate the root cause behind the exceptions: do they represent a predictable lag between patch rollout and installation that will be resolved during the normal course of reboots; or do they represent a procedural deviation or deficiency? If the latter, the ISO could make a recommendation to revisit patch management procedures and practices

IT Admin Responsibilities

IT administrators are responsible for a variety of tasks, including managing computer systems, IT personnel, information systems, data backups, and network security—and providing ISOs with essential information on all those activities. Since IT admins may have a small staff—or might be the only IT person in the department—and have privileged access to the network, institutions must closely oversee their position. According to the FFIEC Information Security Handbook, Section II.C.7(c) Segregation of Duties:

“System administrators, for instance, have the most powerful role in the user access process and have unlimited access to an institution’s information assets and technology. Given this extensive access, management should evaluate the process for determining which individuals should be granted system administrator privileges. Such access should be appropriately monitored for unauthorized or inappropriate activity.”

The ISO in combination with the IT Steering Committee provides an important checks-and-balances process to ensure all systems are being effectively managed and maintained, and that status reporting is reliable.

ISO and IT Admin Cooperation

It’s important to remember that although the ISO and IT admin roles must be independent, they are also complementary since both entities are responsible and accountable for making sense of the vast amount of data flowing through their institution.

Because ISOs must utilize the information supplied by IT admins to produce the reporting necessary to periodically update senior management and the Board, and to authoritatively interact with IT auditors and IT examiners, this relationship must be cooperative. By maintaining a close working relationship, ISOs and IT administrators can make sure their actions support the institution’s IT strategic plan. Done properly, a successful ISO- IT admin relationship should in no way be adversarial, it should be mutually beneficial to both parties, as well as to the institution as a whole.

Obtaining Third-Party Support

Regulators place a high priority on the continuity and consistency of leadership for effective information security. At times, financial institutions will have ISOs and IT administrators leave their position either temporarily or permanently. When this happens, it can be beneficial to employ an internal committee/team or a trusted third party to help manage IT and information security.

A third-party partner can provide additional support while the ISO position is vacant, help a new employee transition into the role, or simply provide another set of eyes and an external layer of oversight to supplement what they already have in place. Collaborating with an external information security expert cannot only help the institution think more objectively, strategically, and proactively about risk during a time of transition but also when things are running smoothly. This can prevent problems later and position the institution to be stronger and more successful in the future.

Financial institutions can take advantage of a wide range of external resources designed to support the ISO and IT administrator roles. For example, ISOversight™, our virtual ISO service, offers community banks and credit unions a complete solution to help them master information security and manage compliance online. With ISOversight, institutions can make sure nothing gets overlooked, so they stay on track—which is vital with the complexities and constant changes in the technology and security environments.

03 Sep 2020
The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The ISO is tasked with multiple simultaneous activities; supervising the financial institution’s business continuity planning, project management, vendor management, cybersecurity, exams and audits, and information security, which can be an overwhelming responsibility for one person to manage. This presents operational and compliance challenges for the institution if there is no second-in-command should the ISO become suddenly unavailable. For this reason, the Federal Financial Institution Examination Council (FFIEC) in their Management booklet outlines the importance of succession planning for key roles within the institution, including the ISO.

The Challenge

Effective succession planning involves proactively identifying alternate personnel and initiating proper cross-training for critical roles well in advance. A case in point is Billy Peele, who has worked with Iva, South Carolina-based The Peoples Bank for 45 years, and who has plans to retire by the end of 2020. Overseeing the bank’s IT and InfoSec departments, Peele has also functioned as the institution’s ISO. With a succession plan in place, the bank selected Jill Seymore and Addrian Wilson to jointly assume the title and responsibilities of the ISO in preparation of Peele’s departure.

Although highly skilled in banking operations, Seymore and Wilson initially lacked the level of ISO related experience necessary to fulfill the role. Specifically, the pair wanted a better grasp on the IT reports and to learn best practices in reviewing these reports from the ISO perspective. This learning curve could have been overwhelming for the new ISOs, but The Peoples Bank decided to implement a proven virtual ISO solution to give Seymore and Wilson the tools to become more confident in the new role.

The Solution

Too often, new ISOs do not receive a detailed hand-off document from the predecessor and may not know where to start to complete key responsibilities. Fortunately this was not the case for The Peoples Bank as Safe Systems’ ISOversight Virtual ISO Solution formalized all responsibilities into a structured framework for Seymore and Wilson, allowing for methodical review of all tasks on a monthly, quarterly, and annual basis to ensure continuity for the bank.

ISOversight serves as a risk management tool designed to support the role of the ISO by augmenting existing personnel and ensuring that all tasks and related activities are completed on time and properly reported to the various stakeholders. ISOversight helped ease Seymore and Wilson into the ISO position by grouping all of the various responsibilities into a unified platform to effortlessly manage compliance and security activities. Not only did this clearly outline key requirements of the ISO, but it also educated Peele’s successors on how to effectively perform the role.

The Results

ISOversight gave Seymore and Wilson the confidence that allowed them to trust the bank’s IT department while verifying all interrelated activities are running smoothly and securely. Reviewing reports and receiving alerts with the assistance of the VISO helps the new ISOs extract relevant, actionable information to determine if there are anomalies or exceptions that they should be aware of and act on.

The key to succession planning is to find ways to standardize and maintain the consistency and continuity of the responsibilities of the ISO. In this case, the bank can be confident that information is secure, tasks are being completed on time, and documentation is shared with auditors, examiners, and the board. At The Peoples Bank, ISOversight provided a seamless transition for Seymore and Wilson, while laying a solid foundation for future ISO activities.

For more information, download the full white paper, “5 Case Studies: Exploring Common Challenges Faced By The Information Security Officer.”

27 Aug 2020
Three Virtual ISO Delivery Models for Community Banks and Credit Unions

Three Virtual ISO Delivery Models for Community Banks and Credit Unions

Three Virtual ISO Delivery Models for Community Banks and Credit Unions

Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program.
– FFIEC Information Security Handbook

Information security officers (ISO) have a wide range of responsibilities and navigating them can be quite challenging, especially with increased scrutiny from examiners on alignment of policies, procedures, and practices. Adding to that challenge is the associated element of accountability; the premise that unless your practices are properly documented and reported to the various stakeholder groups, there may be doubt in the mind of the examiner as to whether or not they actually happened.

As a result of this responsibility + accountability challenge, many financial institutions are turning to virtual information security officer (VISO) solutions to support the role of the ISO by augmenting existing personnel and ensuring all tasks and related activities are completed on time; are following approved procedures; and are properly reported to the various stakeholders.

In a recent webinar, Safe Systems outlined the three virtual ISO delivery models available to community banks and credit unions today and discussed key considerations when implementing each.

1. Outsource All Activities

In this model, the financial institution hires a third-party provider to take on all of the responsibility and accountability tasks of the ISO role. Outsourcing these activities minimizes your staff’s involvement, potentially freeing up time to focus on more revenue generating activities, but this approach is typically more expensive because the third-party provider is doing all of the heavy lifting.

Another important consideration is that outsourcing everything can also isolate key personnel from important procedures and practices. If the institution isn’t involved in the day-to-day information security activities, when IT auditors and examiners question your personnel, they may not have the necessary day-to-day procedural knowledge to answer their questions. For example, there will likely be activities the outsourced provider is doing that the ISO is unaware of or they are using procedures not familiar to your personnel. This could lead to audit and examination observations or findings, as the ISO is expected to have comprehensive knowledge and understanding of all information security activities

Outsourcing information security tasks is best for financial institutions with neither the time, expertise, nor inclination to perform the duties of the role. However, it comes at a higher cost, both in terms of capital outlay and also in the possibility of ISO disassociation from actual procedures and practices. The FFIEC Management Handbook uses terms such as “engaging with…,” and “working with…,” and “participating in…,” and “informing…,” to describe the typical responsibilities of the ISO. This level of involvement may be more difficult under the “outsource all” model.

2. Toolset only (Apps, Checklists, Templates, etc.)

Another option is to select a model where there’s a toolset provided to accomplish ISO tasks. The toolset could consist of applications, checklists, or templates that may be prefilled or partially filled. With this model, you’re given the tools to manage ISO responsibilities without the support. There’s less human interaction, which typically means the service is less expensive.

However, the toolset model requires more effort from staff and requires the financial institution to rely on internal resources for information security expertise and guidance. Without this guidance, this model may also introduce some inconsistencies between the institution’s policies and procedures. For example, if you specify something in one area of your policies and you reference something that may conflict with that in another area, auditors are likely going to notice and question you on it, and that could cause them to dig deeper into other areas. Policy/procedure consistency is one of the most important indicators of strong infosec governance.

This model may include access to compliance guidance and expertise, but it would be reactive instead of proactive. It is best for institutions that have the necessary internal expertise, but they just need the additional structure a toolset provides to ensure all activities are completed in a timely manner.

3. Hybrid (Toolset + Consultation)

Finally, a hybrid model combines the first two models to provide a toolset plus additional expertise, proactive guidance, and consultation. It typically has better integration between various ISO practices because it’s all under one umbrella. As a result, the institution gains consistency and better coordination within and among its policies for business continuity, vendor management, incident response, project management, and information security. However, because of the tight integration, financial institutions that do not adopt all of the tools that support this model may not see the maximum benefit. Also, because of the increased level of ISO engagement, it may be more resource intensive initially, especially if the institution is behind on key ISO tasks. However, once tasks are brought up to date, ongoing maintenance is simpler due to the integrated toolset. This model is also quite flexible and can easily adapt to the evolving needs of the institution.

This is the model we decided to adopt for our virtual ISO solution, ISOversight. We’ve found this model is best for institutions that desire the advantages of regular active involvement with outside expertise, plus a toolset and reporting to ensure the ISO remains fully engaged. The price point is somewhere between the other two models; less than a complete outsource, but a bit more than toolset only.

ISOversight is a risk management solution that provides accountability for all of the responsibilities of the ISO. We have monthly touch point meetings, and we tailor the service to meet each institution’s unique requirements.

To learn more about the information security officer role and the benefits of virtual ISO solutions, watch our recorded webinar, “ISO Requirements and Expectations: Accountability vs. Responsibility.”

13 Aug 2020
One Florida Bank Achieves Rapid Growth and Streamlines Information Security with ISOversight

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with Safe Systems’ Virtual ISO Solution

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with ISOversight

Mergers and acquisitions can present significant operational challenges for information security officers (ISO) who are tasked with ensuring a smooth transition of the information security program. Often, some key responsibilities of the ISO may be overlooked as other tasks related to the merging of the two institutions take precedence, overextending the ISO as they work to manage the information security program effectively and stay on top of regulations.

The Challenge

Eric Nadeau, chief financial officer at One Florida Bank, faced this very issue when his bank acquired another bank in Florida to expand the institution’s reach across the state. Nadeau wore many hats at the bank serving as the information security officer, chief financial officer, head of accounts payable, and director of both HR and IT. Although Nadeau understood the role and responsibilities of the ISO, he simply lacked the necessary time required to develop a formal program to efficiently complete all ISO-related tasks.

After acquiring the other bank’s charter and then merging the two institutions, Nadeau knew that his bank’s existing compliance management practices would not be enough to accommodate the rapid growth and continue to satisfy the regulators. While he needed assistance in managing the information security program, the institution was not yet ready to make the investment to expand personnel by adding a dedicated ISO.

The Solution

Following the merger, the bank needed a strong operational structure in place to get the now larger institution up and running and meet regulatory expectations quickly. During the acquisition process, Nadeau was introduced to Safe Systems’ ISOversight VISO (Virtual Information Security Officer) solution. The institution One Florida Bank acquired was already a Safe Systems customer using its network management services. After learning more about the VISO and compliance program, Nadeau performed his due diligence and made the decision to implement the ISOversight solution to streamline the bank’s information security processes.

A VISO serves as an extension of the in-house ISO by augmenting existing personnel and ensuring all tasks and related activities are completed on time and are all properly documented and reported to the various stakeholders. ISOversight’s integrated approach to vendor management, business continuity planning, cybersecurity, strategic planning, and information security influenced Nadeau to implement a VISO strategy.

“We had a very aggressive growth plan and I was wearing many hats. I couldn’t cobble together a bunch of Excel-based risk assessments and manual tasks into a formal process within an acceptable time frame,” said Nadeau. “I needed a support structure that I could leverage very quickly to sustain our bank’s strong and rapid growth plan and ISOversight provided that.”

The Results

While Nadeau expected the bank to grow, he did not anticipate that the bank would become a $690M institution in just 18 months. With ISOversight, Nadeau was able to quickly implement new operational structures for the institution amidst this rapid growth.

ISOversight combines all the various risk assessments into one centralized portal with ease, eliminating the use of multiple spreadsheets and numerous documents. The VISO enabled the bank to create a new compliance infrastructure with easy-to-read summaries of all ISO activities, as well as establish a new fully compliant business continuity management plan, a robust vendor management program, and comprehensive project and audit/exam tracking. ISOversight provides an integrated approach to all these initiatives as they all work hand in hand.

“The first year after the acquisition required a massive amount of work, but ISOversight allowed our bank to prioritize and complete tasks until we reached a smooth and successful integration,” said Nadeau. “Even examiners have commented on the progress we’ve made and recognized the value that the integrated platform provided to our management.”

For more information, download the full white paper, “5 Case Studies: Exploring Common Challenges Faced By The Information Security Officer.”

06 Aug 2020
Managing Information Security Requirements and Expectations: Accountability vs. Responsibility

Managing Information Security Requirements and Expectations: Accountability vs. Responsibility

Managing Information Security Requirements and Expectations: Accountability vs. Responsibility

Of the many roles within a financial institution, the information security officer (ISO) is the most critical for the protection of confidential and nonpublic personal information and maintaining compliance with federal regulations. In fact, the Federal Financial Institution Examination Council (FFIEC) goes so far as to mandate that all financial institutions have one or more individuals dedicated to the position of ISO.

Safe Systems held a webinar last week outlining the most common challenges for ISOs and some helpful ways that they can better identify, perform, and document their regulatory responsibilities. In this blog post, we’ll highlight two of the most important elements of the ISO role and outline 8 key regulatory responsibilities all ISOs should focus on to meet examiner expectations.

Key Elements

For ISOs, everything ultimately hinges on responsibility (specific tasks the ISO must perform) and accountability (specific documentation ISOs must provide to key internal and external stakeholders). In fact, these terms are referenced multiple times within the FFIEC guidance:

“The ISO is responsible for overseeing and reporting on the management and mitigation of information security risks across the institution and should be held accountable for the results of this oversight and reporting. – FFIEC Management Handbook

“Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program.” – FFIEC Information Security Handbook

Individuals in the ISO role must effectively demonstrate both elements to adequately meet regulatory expectations.

Maintaining Compliance

The ISO must not only be able to perform key responsibilities of the role, but he or she must also provide proper documentation to specific stakeholders to satisfy the accountability requirements. The FFIEC’s Management Handbook outlines 8 key responsibilities of the ISO role including:

  1. Implementing the information security strategy and objectives, as approved by the board of directors, including strategies to monitor and address current and emerging risks
  2. Engaging with management in the lines of business to understand new initiatives, providing information on the inherent information security risk of these activities, and outlining ways to mitigate the risks
  3. Working with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information
  4. Monitoring emerging risks and implementing mitigations
  5. Informing the board, management and cybersecurity risks and the role of staff in protecting information
  6. Championing security awareness and training programs
  7. Participating in industry collaborative efforts to monitor, share, and discuss emerging security threats
  8. Reporting significant security events to the board, steering committee, government agencies, and law enforcement, as appropriate

When performing these key responsibilities, the ISO must reference the institution’s policies (what you say you do); procedures (how you say you’ll do them); and actual practices (what you actually do and are able to document). In our experience, we’ve seen that there is often a gap between procedures and practices, which often results in the majority of audit and exam findings for financial institutions.

To address this issue, many community banks and credit unions are turning to virtual ISO solutions. A virtual ISO platform serves as a risk management solution that addresses the regulatory expectations and important tasks that the ISO must oversee. The solution helps financial institutions augment their internal ISO role, streamline responsibilities, and ensure the institution’s procedures and practices are properly aligned. Most importantly, a virtual ISO can make sure that all stakeholders; Board, committee, auditor, and regulator, have the appropriate reports to document that alignment.

To learn more about the information security officer role, the 3 virtual ISO delivery models, and the benefits of virtual ISO solutions, watch our recorded webinar, “ISO Requirements and Expectations: Accountability vs. Responsibility.”