Written by Shivani Malik, Esq.

The September 9, 2016 update of the FFIEC’s Information Security Booklet, a component of the FFIEC IT Handbook, provides Financial Institutions with current guidance on implementing a risk-based enterprise information security program by;

1. incorporating a risk management lifecycle addressing risk identification, measurement, mitigation, monitoring and reporting; 

2. addressing the need for effective threat identification, assessment, and monitoring; and

3. identifying, assessing, and responding to incidents. 

Each component of the information security program should apply enterprise-wide. In order to do this, it is important to have the appropriate culture, governance, security operations, and assurance processes in place. The financial institution should align the information security program to an existing enterprise risk management program, specifically, incorporating the institution’s risk appetite and tolerance into the four (4) key areas of the information security program. Incorporating risk into each area of the program allows for measurable insight into the amount of risk a financial institution is prepared to accept when trying to achieve its business objectives. The four (4) key areas of the information security program are as follows: 

a. Information Security Governance
b. Information Security Program Management 
c. Risk
d. Security Operations

Information Security Governance

Financial institutions should promote an information security culture from the top down, with the board and management understanding and supporting the development, implementation, and maintenance of the information security program. Additionally, information security roles and responsibilities should be clearly defined and assigned following the principle of segregation of duties. Furthermore the Board and management should actively support and promote the funding of information security, ensure that the information security program is adequately supported by qualified internal personnel, or properly oversee a qualified third party provider.  

Information Security Program Management
The financial institution should implement an information security program that incorporates risk and integrates appropriate personnel and/or third parties based on that risk. The information security program should support the institution’s risk management program and include policies, standards and procedures on risk identification, risk measurement, risk mitigation, and risk monitoring and reporting. 

Information Security Risk Management

The financial institution should develop and implement a process to identify risk throughout the enterprise. Risk is the potential that events, expected or unanticipated, may adversely affect the institution’s earnings, capital, or reputation. The Financial Institution’s information security program should evaluate and assess operational, internal, and external risks and implement controls to reduce that risk. There should be a focus on cybersecurity risk, but the program should address all types of risk and controls to reduce those risks.

Security Operations
The financial institution should maintain policies and procedures that indicate how threat identification and assessment, threat monitoring, and incident response is implemented within the organization. The financial institution should coordinate internal personnel, contractors, and/or qualified third party vendors to ensure that all parties are aligned to deliver seamless security operations. 

Community financial institutions should develop a risk-based enterprise information security program that is commensurate with the size and complexity of the organization.  Relying on qualified managed service providers to deliver these services is an acceptable approach because it allows the community financial institution to focus on its business, while ensuring that the components of the information security program are kept up to date, align with business needs, and meet regulatory requirements. Community financial institutions who utilize a qualified managed service provider to develop their information security program are still ultimately responsible for the content and implementation of the program. Therefore it is important that these institutions understand each component of the program and the associated compliance expectations, including the responsibility for appropriate oversight on the part of the institution. 

In conclusion, incorporating risk and aligning all components of the information security program across the financial institution allows for the development and implementation of an enterprise risk centric information security program, which will allow the financial institution to better monitor and manage information security for the entire enterprise.