In the FFIEC IT Handbook, look at the Booklet: Information Security, Section: Security Process. Go to
http://www.ffiec.gov/ffiecinfobase/html_pages/infosec_book_frame.htmIt states: The board should approve written information security policies and the written report on the effectiveness of the information security program at least annually. At a minimum, the report should address:
1) the results of the risk assessment process;
2) risk management and control decisions;
3) service provider arrangements;
4) results of security monitoring and testing;
5) security breaches or violations and management’s responses; and
6) recommendations for changes to the information security program.
The annual approval should consider the results of management assessments and reviews, internal and external audit activity related to information security, third-party reviews of the information security program and information security measures, and other internal or external reviews designed to assess the adequacy of information security controls.
I have a memo that touches each of the above, and make sure it's in the board packet and approved in the board minutes.