II Information Security Program Management
Management should develop and implement an information security program that does the following:
- Supports the institution's IT risk management (ITRM) process by identifying threats, measuring risk, defining information security requirements, and implementing controls.
- Integrates with lines of business and support functions in which risk decisions are made.
- Integrates third-party service provider activities with the information security program.
The institution should have a robust and effective information security program that supports the institution's ITRM process.See also Information Security Standards, section III.B, requiring each financial institution to assess risk including through the identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of "customer information" or "customer information systems," and section III.C, requiring each financial institution to manage and control its risks by (1) designing an information security program to control risks it identifies commensurate with the sensitivity of the information and the complexity and scope of the institution's activities, and (2) adopting an enumerated list of controls, as appropriate. An effective information security program includes the following:
- Risk identification
- Risk measurement
- Risk mitigation
- Risk monitoring and reporting
Refer to the IT Handbook's "Management" booklet for more information. A comprehensive information security program should incorporate cybersecurity elements, and management should identify, measure, mitigate, monitor, and report cybersecurity-related risks in accordance with the information security program and the ITRM process. In addition, to determine the overall effectiveness of the information security program, management should have comprehensive assurance and testing processes.
Management should integrate the information security program with the institution's lines of business and support functions. An integrated program provides management the ability to assess the likelihood and potential damage to the institution from an incident, identify the root cause(s) of the incident, and implement controls to address identified issues.
Institutions that outsource technology, line of business activities, and support functions should ensure integration of these activities with the information security program through an effective third-party service provider management program.See also Information Security Standards, section III.D, requiring each financial institution to oversee service provider arrangements by (1) exercising appropriate due diligence in selecting its service providers; (2) requiring its service providers by contract to implement appropriate measures designed to ensure the security and confidentiality of the institution's "customer information"; and (3) where indicated by the institution's risk assessment, monitoring its service providers to confirm that the service providers have satisfied their contractual obligations, including by reviewing audits, summaries of test results, or other equivalent evaluations of its service providers. Effective integration of these programs is evident when the institution creates and enforces expectations that align with the internal information security program in such a way that the combined activities of the institution and its third-party service providers result in an acceptable level of risk. Refer to the IT Handbook's "Outsourcing Technology Services" booklet for more information.
II.A Risk Identification