Information Security Officer duties

Posted By: Anonymous

Information Security Officer duties - 05/29/03 05:32 PM

We are in the process of writing a job description for the Information Security Officer (ISO). How are you accomplishing the requirements of the "Roles and Responsiblilities" section of the new Info Sec guidelines? Is your "central authority" one person? a committee? the same as your ISO? How many ISOs do you have? I'm going to search for the analysis section Ted mentioned in his January Post ("GLB Exam") about "the new position with specific title not being necessary, as long as there were adequate staff and lines of authority and responsibility for the InfoSec program are well defined and clearly articulated."

Thanks!

Posted By: Ted Dreyer

Re: Information Security Officer duties - 05/29/03 08:41 PM

You can find it in the last paragraph on page 8620 in
http://www.ffiec.gov/exam/InfoBase/documents/02-joi-safeguard_customer_info_final_rule-010201.pdf

Posted By: Princess Romeo

Re: Information Security Officer duties - 05/30/03 05:37 AM

We wound up with 2 Information Security Officers. The manager of our I.T. Department is the ISO for I.T. related information. I am the ISO for physical data and procedures. We collaborate on our Risk Assessment, policy updates, board reporting, training, etc.

Basically, it's rare to find one person who can cover all of Information Security. Since so much of it is I.T. related, you need someone well versed in technology issues. However, you also need someone who is familiar with all of the OTHER processes in the bank as well as all of the regulatory requirements and developments.

Posted By: Anonymous

Re: Information Security Officer duties - 05/30/03 02:24 PM

Thanks Ted and Bonnie! Bonnie - How does the InfoSec fit in with your corporate structure? We are just in the planning stages of a risk management "arm", but really aren't that big of a bank yet. Our compliance, audit and IT are separate departments. Are you the privacy officer also? We may have to go to the local milliner and purchase some more hats.

Thanks!

Posted By: Princess Romeo

Re: Information Security Officer duties - 05/30/03 07:10 PM

We have not specifically designated a "Privacy Officer", but as Compliance Officer, the Privacy regs come under by job description.

We do not have a very complex corporate structure either. I report to the CCO/Risk Manager. The IT Manager reports to the CFO. But it is understood that this area (as well as BSA) encompasses all of the Bank.

Posted By: Anonymous

Re: Information Security Officer duties - 05/30/03 08:32 PM

Thanks - I assume CCO is Corporate Compliance Officer?

Posted By: Princess Romeo

Re: Information Security Officer duties - 05/30/03 10:03 PM

Quote:

I assume CCO is Corporate Compliance Officer?

Oh dear, No! CCO = Chief Credit Officer. Yes, I report to the Chief Credit Officer which is not an optimal situation for a compliance program, but as long as he sees things my way, so does everyone else! And if he doesn't, that usually only lasts until our Internal Audit company says otherwise, or an examiner corrects him.