I.B.2 Information Security
The institution should have a comprehensive information security program that addresses all technology and information assets and that complies with the Information Security Standards; these standards and the GLBA are discussed in detail in the "Protecting Sensitive Customer Information" section of this booklet. The information security program should include appropriate administrative, technical, and physical safeguards based on the inherent risk profile and the individual activities, products, and services of the institution. The board should delegate responsibility to the CISO or other appropriate personnel for assessing whether IT operations conform with policies. The CISO should ensure appropriate consideration of risks involved with new products, emerging technologies, and information systems. Testing of the controls identified in the information security program should be delegated to an independent auditor. An independent audit function can include internal auditors with sufficient independence to perform an adequate review, outside consultants or auditors, or a combination of both.
The institution should separate information security program management and monitoring from the daily security duties of IT operations. The IT department should have personnel with daily responsibility for implementing the institution's security policy. Responsibility for making changes and granting exceptions to policy should be segregated from the enforcement of the controls. Refer to the IT Handbook's "Information Security" booklet for more information.
I.B.1 IT Risk Management Structure
I.B.3 Project Management