I.B Responsibility and Accountability
The board, or designated board committee, should be responsible for overseeing the development, implementation, and maintenance of the institution's information security program and holding senior management accountable for its actions. The board should reasonably understand the business case for information security and the business implications of information security risks; provide management with direction; approve information security plans, policies, and programs; review assessments of the information security program's effectiveness; and, when appropriate, discuss management's recommendations for corrective action. The board should provide management with its expectations and requirements and hold management accountable for central oversight and coordination, assignment of responsibility, and effectiveness of the information security program.
The board, or designated board committee, should approve the institution's written information security program; affirm responsibilities for the development, implementation, and maintenance of the program; and review a report on the overall status of the program at least annually.See also Information Security Standards, section III.A, requiring the board of directors or an appropriate committee of the board of each financial institution to approve the institution's written information security program, and oversee the development, implementation, and maintenance of the program, including assigning specific responsibility for its implementation and reviewing management reports.
Management should provide a report to the board at least annuallySee also Information Security Standards, section III.F, requiring each financial institution to report to its board or an appropriate committee of the board at least annually. The report should include a description of the institution's compliance with the Information Security Standards and discuss material matters related to its information security program. that describes the overall status of the program and material matters related to the program, including the following:
- Risk assessment process, including threat identification and assessment.
- Risk management and control decisions, including risk acceptance and avoidance.
- Third-party service provider arrangements.
- Results of testing.
- Security breaches or violations of law or regulation and management's responses to such incidents.
- Recommendations for updates to the information security program.
When providing reports on information security, management should include the results of management assessments and reviews; internal and external audit activity related to information security; third-party reviews of the information security program and information security measures; and other internal or external reviews designed to assess the adequacy of the information security program, processes, policies, and controls.
Management also should do the following:
- Implement the board-approved information security program.
- Establish appropriate policies, standards, and procedures to support the information security program.
- Participate in assessing the effect of security threats or incidents on the institution and its lines of business and processes.
- Delineate clear lines of responsibility and communicate accountability for information security.
- Adhere to board-approved risk thresholds relating to information security threats or incidents, including those relating to cybersecurity.
- Oversee risk mitigation activities that support the information security program.
- Implement a risk acceptance process that identifies the risk and when, how, to what extent, and who in management has accepted the risk associated with identified vulnerabilities.
- Establish segregation of duties.
- Coordinate information and physical security.
- Integrate security controls throughout the institution.
- Require that data with similar criticality and sensitivity be protected consistently throughout the institution.
- Establish and monitor the information security responsibilities of third parties, as further described in the "Oversight of Third-Party Service Providers" section of this booklet.
- Maintain job descriptions or employment contracts that include specific information security responsibilities.
- Provide information security and awareness training and ongoing security-related communications to employees, and ensure employees complete such training annually.
Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program. Information security management responsibilities may be distributed across various lines of business depending on where the risk decisions are made and the institution's size, complexity, culture, nature of operations, or other factors.
Information security officers should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management. Information security officers should be responsible for responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services.
Internal auditors should implement a risk-based audit program to ensure management maintains and the board oversees an effective information security program. Additionally, management should issue appropriate reports to the board. Refer to the IT Handbook's "Audit" booklet.
I.A Security Culture