Who in the bank should be responsible for writing the Information Security Program/Policy? I have received conflicting viewpoints as to whom should write it and keep it updated.

I think this will be different depending on the size and complexity of your Bank. Here are a couple of things to keep in mind.

Within the Information Security Program (ISP), the Bank will designate an Information Security Officer(ISO).

The ISO should be most closely attached to the ISP as the ISO is responsible for enforcing the policies and procedures of the ISP, as well as reviewing changes, additions, deletions to the ISP (among many other things).

The ISO could be the lead person in creating the ISP, but the ISO will probably need help from other areas.

There may be technical issues involved in authoring the ISP where the IT folks need to get involved.

There may be legal issues involved in authoring the ISP where counsel needs to be involved.

The internal auditor should not author, but should have input to the creation of the ISP.

Hope that helps.

For what it's worth - Once you figure out who's going to have ownership have them have a look at...

http://www.sans.org/resources/policies/#template

jjjeepman2003:

Please remember that -- regardless of who authors the program -- it should be tightly integrated with the institution's main Security Program. The Security Officer should be responsible for conducting all investigations and he/she will likely need considerable assistance if IT issues are involved.

Because evidence of a crime or a policy violation is crucial, also please insure that your Information Security Program contains appropriate techniques for identifying, collecting and preserving both physical and electronic evidence items.

We are a small bank ($130M) and we designated a lender as the ISO. At the time he was knowledgeable on many of the aspects of security througout the bank, he sits on the IT committee, and he excels at writing policies. It may seem like an unlikely candidate but he was best suited for us. He does work closely with all departments of the bank to perform risk assessments, perfom training, and monitor any changes that may require an update to the policy.