I.A.2 IT Management
IT management is responsible for IT performance and administering the day-to-day operation of an institution. IT management should perform the following:
- Implement IT governance.
- Implement effective processes for ITRM, including those that relate to cybersecurity.
- Review and annually approve processes for ITRM.
- Assess the institution's inherent IT risks across the institution.
- Provide regular reports to the board on IT risks, IT strategies, and IT changes.
- Establish and coordinate priorities between the IT department and lines of business.
- Establish a formal process to obtain, analyze, and respond to information on threats and vulnerabilities Refer to the FFIEC's "Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement," November 3, 2014. by developing a repeatable threat intelligence and collaboration program. For example, a repeatable threat intelligence and collaboration program could include internal resources, such as audit reports and fraud detection tools, or external resources, such as information sharing networks like the Financial Services-Information Sharing and Analysis Center (FS-ISAC) and the Federal Bureau of Investigation's (FBI) InfraGard.
- Ensure that hiring and training practices are governed by appropriate policies to maintain competent and trained staff.
I.A.2(a) Executive Management
Executive management, including the chief executive officer (CEO), the chief operating officer (COO), and often the chief information officer (CIO), plays a significant role in IT management at a financial institution. Executive management develops the strategic plans and objectives for the institution and sets the budget for resources to achieve these objectives. To carry out its responsibilities, executive management should understand at a high level the IT risks faced by the institution and ensure that those risks are included in the institution's risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.
I.A.2(b) Chief Information Officer or Chief Technology Officer
The CIO or chief technology officer (CTO) is responsible and should be held accountable for the development and implementation of the IT strategy to support the institution's business strategy in line with its risk appetite. In less complex institutions, the IT manager may take on these responsibilities. This position typically oversees the IT budget and maintains responsibility for performance management, IT acquisition oversight, professional development, and training. In addition, the CIO or CTO is responsible for implementing the IT architecture and participating in planning activities. The IT management reporting structure should enable this position to accomplish these activities and ensure accountability for security, business resilience, risk reporting, and alignment of IT with business needs. The CIO or CTO should play a key role in the strategic planning as well as supporting activities of peers in various lines of business. The position often has a leadership role on the steering committee.
I.A.2(c) Chief Information Security Officer
The chief information security officer (CISO) is responsible for overseeing and reporting on the management and mitigation of information security risks across the institution and should be held accountable for the results of this oversight and reporting. Often, the CISO is responsible for implementing an information security program satisfying the Interagency Guidelines Establishing Information Security Standards 12 CFR 30, appendix B (Office of the Comptroller of the Currency (OCC)); 12 CFR 208, appendix D-2 (Board of Governors of the Federal Reserve System); 12 CFR 364, appendix B (Federal Deposit Insurance Corporation (FDIC)); and 12 CFR 748, appendix A (National Credit Union Administration (NCUA)). Refer to appendix C of this booklet for a listing of laws, regulations, and agency guidance. (Information Security Standards), which were issued pursuant to the Gramm-Leach-Bliley Act (GLBA). While in the past the office of the CISO was considered a technology function, the role has become a strategic and integral part of the business management team. The CISO should be an enterprise-wide risk manager rather than a production resource devoted to IT operations.
To ensure independence, the CISO should report directly to the board, a board committee, or senior management and not IT operations management. While cost and benefit decisions will always need to be made, IT security decisions and funding should not be unduly influenced by operational ease or budgetary constraints. The reporting structure should demonstrate that the CISO has the appropriate authority to carry out the responsibilities of that position and should avoid conflicts of interest that could interfere with the ability of the CISO to make decisions in line with the board's risk appetite. The institution's size and complexity plays a role in the reporting structure. A smaller or less complex institution may have an information security officer perform the responsibilities of the CISO and report to senior management. A larger or more complex institution may have additional reporting lines for the CISO into other independent functions, such as risk management.
The CISO is typically responsible for the following:
- Implementing the information security strategy and objectives, as approved by the board of directors, including strategies to monitor and address current and emerging risks.
- Engaging with management in the lines of business to understand new initiatives, providing information on the inherent information security risk of these activities, and outlining ways to mitigate the risks.
- Working with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information.
- Monitoring emerging risks and implementing mitigations.
- Informing the board, management, and staff of information security and cybersecurity risks and the role of staff in protecting information.
- Championing security awareness and training programs.
- Participating in industry collaborative efforts to monitor, share, and discuss emerging security threats.
- Reporting significant security events to the board, steering committee, government agencies, and law enforcement, as appropriate.
I.A.2(d) IT Line Management
IT line managers supervise the resources and activities of a specific IT function, department, or subsidiary. They typically coordinate services between the data processing area and other departments. They report to senior IT management on the plans, projects, and performance of their specific systems or departments. Some IT functions that often rely on line managers include data center operations, network services, application development, systems administration, telecommunications, customer support, and disaster recovery. Frontline managers coordinate daily activities, monitor current production, ensure adherence to established schedules, and enforce appropriate policies and controls in their areas.
I.A.2(e) Business Unit Management
Managers in an institution's lines of business or business units also have IT responsibilities. Examples of these responsibilities include the following:
- Establishing processes for ongoing communication of business needs, information systems reporting needs, and product development plans to IT support or line management.
- Ensuring that IT development efforts are prioritized, funded, and aligned with business strategy in the business unit.
- Establishing processes to test compliance with IT-related control policies in the business unit.
- Ensuring that required backup IT resources are available.
- Documenting information flows throughout the business unit and notifying the CISO when business processes change.
- Performing due diligence reviews for prospective third-party providers and ongoing monitoring of third-party providers with which the institution has established relationships.
- Engaging with the CISO to discuss inherent information security risks of new business unit initiatives.
The specific technology roles in IT and business unit management may vary depending on the institution's approach to risk management and policy enforcement. Institutions can approach technology management using either a centralized or a decentralized strategy.
In a centralized IT environment, IT management typically acquires, installs, and maintains technology for the entire institution. IT management has a greater ability to control and monitor the institution's technology investment. A centralized approach may promote greater operational efficiencies. The business unit managers retain the responsibility for enforcing internal controls within their areas.
In a decentralized IT environment, IT management serves in an advisory role in some business units' acquisition, installation, and maintenance of technology. The decentralized approach is more common in larger or more complex institutions, where IT management can expedite decisions on IT services by transferring decision-making authority to strategically significant departments. In this approach, business line management has a much greater responsibility for ensuring that technology investments are consistent with enterprise-wide strategic plans. Institutions should ensure system compatibility and enforcement of enterprise-wide policies in a decentralized environment. IT management should still have a role in defining the institution's control requirements, but enforcement of enterprise-wide policies may be more difficult.
I.A.1 Board of Directors Oversight
I.A.3 Enterprise Architecture