Booklet: Information Security
Section: Security Process
Subsection:

Action Summary additional information.

Overview

The security process is the method an organization uses to implement and achieve its security objectives.  The process is designed to identify, measure, manage, and control the risks to system and data availability, integrity, and confidentiality, and to ensure accountability for system actions.  The process includes five areas that serve as the framework for this booklet:

  • Information Security Risk Assessment—A process to identify and assess threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes.  
  • Information Security Strategy—A plan to mitigate risk that integrates technology, policies, procedures, and training.  The plan should be reviewed and approved by the board of directors. 
  • Security Controls Implementation—The acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk-appropriate controls, and the assurance that management and staff understand their responsibilities and have the knowledge, skills, and motivation necessary to fulfill their duties.
  • Security Monitoring—The use of various methodologies to gain assurance that risks are appropriately assessed and mitigated.  These methodologies should verify that significant controls are effective and performing as intended.
  • Security Process Monitoring and Updating—The process of continuously gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls.  This information is used to update the risk assessment, strategy, and controls.  Monitoring and updating makes the process continuous instead of a one-time event.

Security risk variables include threats, vulnerabilities, attack techniques, the expected frequency of attacks, financial institution operations and technology, and the financial institution’s defensive posture.  All of these variables change constantly.  Therefore, an institution’s management of the risks requires an ongoing process.

Governance

Governance is achieved through the management structure, assignment of responsibilities and authority, establishment of policies, standards and procedures, allocation of resources, monitoring, and accountability.  Governance is required to ensure that tasks are completed appropriately, that accountability is maintained, and that risk is managed for the entire enterprise.  Although all aspects of institutional governance are important to the maintenance of a secure environment, this booklet will speak to those aspects that are unique to information security.  This section will address the management structure, responsibilities, and accountability

Management Structure

Information security is a significant business risk that demand engagement of the Board of Directors and senior business management.  It is the responsibility of everyone who has the opportunity to control or report the institution’s data.  Information security should be supported throughout the institution, including the board of directors, senior management, information security officers, employees, auditors, service providers, and contractors.  Each role has different responsibilities for information security and each individual should be accountable for his or her actions.  Accountability requires clear lines of reporting, clear communication of expectations, and the delegation and judicious use of appropriate authority to bring about appropriate compliance with the institution’s policies, standards, and procedures.

Responsibility and Accountability

The board of directors, or an appropriate committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution’s information security program, and making senior management accountable for its actions. Oversight requires the board to provide management with guidance; approve information security plans, policies and programs; and review reports on the effectiveness of the information security program. The board should provide management with its expectations and requirements and hold management accountable for

  • Central oversight and coordination,
  • Assignment of responsibility,
  • Risk assessment and measurement,
  • Monitoring and testing,
  • Reporting, and
  • Acceptable residual risk.

The board should approve written information security policies and the written report on the effectiveness of the information security program at least annually.  A written report to the board should describe the overall status of the information security program.  At a minimum, the report should address the results of the risk assessment process; risk management and control decisions; service provider arrangements; results of security monitoring and testing; security breaches or violations and management’s responses; and recommendations for changes to the information security program. The annual approval should consider the results of management assessments and reviews, internal and external audit activity related to information security, third-party reviews of the information security program and information security measures, and other internal or external reviews designed to assess the adequacy of information security controls.

Senior management’s attitude towards security affects the entire organization’s commitment to security.  For example, the failure of a financial institution president to comply with security policies could undermine the entire organization’s commitment to security. 

Senior management should

  • Clearly support all aspects of the information security program;
  • Implement the information security program as approved by the board of directors;
  • Establish appropriate policies, procedures, and controls;
  • Participate in assessing the effect of security issues on the financial institution and its business lines and processes;
  • Delineate clear lines of responsibility and accountability for information security risk management decisions;
  • Define risk measurement definitions and criteria;
  • Establish acceptable levels of information security risks; and
  • Oversee risk mitigation activities. 

Senior management should designate one or more individuals as information security officers.  Security officers should be responsible and accountable for administration of the security program.  At a minimum, they should directly manage or oversee the risk assessment process, development of policies, standards, and procedures, testing, and security reporting processes.  To ensure appropriate segregation of duties, the information security officers should report directly to the board or to senior management and have sufficient independence to perform their assigned tasks.  Typically, the security officers should be risk managers and not a production resource assigned to the information technology department.

Security officers should have the authority to respond to a security eventadditional information by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value.  They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.

Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements.  A central authority should be responsible for establishing and monitoring the security program.  Security management responsibilities, however, may be distributed to various lines of business depending on the institution’s size, complexity, culture, nature of operations, and other factors.  The distribution of duties should ensure an appropriate segregation of duties between individuals or organizational groups.

Senior management also has the responsibility to ensure integration of security controls throughout the organization.  To support integration, senior management should

  • Ensure the security process is governed by organizational policies and practices that are consistently applied,
  • Require that data with similar criticality and sensitivity characteristics be protected consistently regardless of where in the organization it resides,
  • Enforce compliance with the security program in a balanced and consistent manner across the organization,
  • Coordinate information security with physical security, and
  • Ensure an effective information security awareness program has been implemented throughout the organization.

Senior management should make decisions regarding the acceptance of security risks and the performance of risk mitigation activities using guidance approved by the board of directors. Those decisions should be incorporated into the institution’s policies, standards, and procedures.

Employees should know, understand, and be held accountable for fulfilling their security responsibilities.  Institutions should define these responsibilities in their security policy.  Job descriptions or contracts should specify any additional security responsibilities beyond the general policies.  Financial institutions can achieve effective employee awareness and understanding through security training and ongoing security-related communications, employee certifications of compliance, self-assessments, audits, and monitoring.

Internal auditors should pursue their risk-based audit program to ensure appropriate policies and procedures and the adequacy of implementation, and issue appropriate reports to the Board of Directors.  For more information, refer to the “Audit” booklet in the FFIEC IT Examination Handbook.

Management also should consider and monitor the roles and responsibilities of external parties.  The security responsibilities of technology service providers (TSPs), contractors, customers, and others who have access to the institution’s systems and data should be clearly delineated and documented in contracts.  Appropriate reporting mechanisms should be in place to allow management to make judgments as to the fulfillment of those responsibilities.  Finally, sufficient controls should be included in the contract to enable management to enforce contractual requirements.   For more information, refer to the “Outsourcing Technology Services” booklet in the FFIEC IT Examination Handbook.