I am curious how other banks may be handling who reports to the board each year on the effectiveness, etc. of the bank's customer information security program.

Would the audit report suffice? Or should the customer information security officer (CISO) complete the report? Or a combination of both?

Our COO overseas the data center, operations and security. He provides a report for us as he is always in the board meeting anyway.

The Customer Information Security Officer should report to the board, either directly or through someone that he/she reports to that attends the board meetings.

Any banks relying on audit to prepare and submit this report to the audit committee, as part of their audit of this area?

We just had an FDIC exam and they said that it would be fine for me as the Internal Auditor to report on the program when I perform the audit.

The Information Security Officer sends a dedicated report to the board annually specifically addressing the areas mentioned in the law.

We're the same, the Info Security Officer submits and discusses the annual report, IA only addresses deficiencies in program and does not adress any of the other "reportable" issues. We do however, try and make both reports in the same month so that they get the most complete picture available.