Welcome » IT Booklets » Information Security » Security Process » Governance » Responsibility and Accountability
The board of directors, or an appropriate committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution's information security program, and making senior management accountable for its actions. Oversight requires the board to provide management with guidance; approve information security plans, policies and programs; and review reports on the effectiveness of the information security program. The board should provide management with its expectations and requirements and hold management accountable for
The board should approve written information security policies and the written report on the effectiveness of the information security program at least annually. A written report to the board should describe the overall status of the information security program. At a minimum, the report should address the results of the risk assessment process; risk management and control decisions; service provider arrangements; results of security monitoring and testing; security breaches or violations and management's responses; and recommendations for changes to the information security program. The annual approval should consider the results of management assessments and reviews, internal and external audit activity related to information security, third-party reviews of the information security program and information security measures, and other internal or external reviews designed to assess the adequacy of information security controls.
Senior management's attitude towards security affects the entire organization's commitment to security. For example, the failure of a financial institution president to comply with security policies could undermine the entire organization's commitment to security.
Senior management should
Senior management should designate one or more individuals as information security officers. Security officers should be responsible and accountable for administration of the security program. At a minimum, they should directly manage or oversee the risk assessment process, development of policies, standards, and procedures, testing, and security reporting processes. To ensure appropriate segregation of duties, the information security officers should report directly to the board or to senior management and have sufficient independence to perform their assigned tasks. Typically, the security officers should be risk managers and not a production resource assigned to the information technology department.
Security officers should have the authority to respond to a security eventA security event occurs when the confidentiality, integrity, availability, or accountability of an information system is compromised. by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value. They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.
Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements. A central authority should be responsible for establishing and monitoring the security program. Security management responsibilities, however, may be distributed to various lines of business depending on the institution's size, complexity, culture, nature of operations, and other factors. The distribution of duties should ensure an appropriate segregation of duties between individuals or organizational groups.
Senior management also has the responsibility to ensure integration of security controls throughout the organization. To support integration, senior management should
Senior management should make decisions regarding the acceptance of security risks and the performance of risk mitigation activities using guidance approved by the board of directors. Those decisions should be incorporated into the institution's policies, standards, and procedures.
Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies. Financial institutions can achieve effective employee awareness and understanding through security training and ongoing security-related communications, employee certifications of compliance, self-assessments, audits, and monitoring.
Internal auditors should pursue their risk-based audit program to ensure appropriate policies and procedures and the adequacy of implementation, and issue appropriate reports to the Board of Directors. For more information, refer to the "Audit" booklet in the FFIEC IT Examination Handbook.
Management also should consider and monitor the roles and responsibilities of external parties. The security responsibilities of technology service providers (TSPs), contractors, customers, and others who have access to the institution's systems and data should be clearly delineated and documented in contracts. Appropriate reporting mechanisms should be in place to allow management to make judgments as to the fulfillment of those responsibilities. Finally, sufficient controls should be included in the contract to enable management to enforce contractual requirements. For more information, refer to the "Outsourcing Technology Services" booklet in the FFIEC IT Examination Handbook.