Financial Services Blog

Roadmap to an Effective Information Security Program

This blog was authored by my colleague Barbie Housewright, Manager, Financial Institutions.

A financial institution’s information security program is a formal, documented plan for identifying and controlling risk to sensitive information and information systems. Managing the information security program requires a comprehensive and proactive approach to protecting information assets. Information security practices should integrate administrative, technical, and physical controls necessary to maintain confidentiality, integrity, and availability of critical information assets. More than ever, financial institutions are highly dependent upon on-premise technology and secure connections to cloud based resources.  While technology plays a major role in the processing of information today, information assets are not all technical in nature. Information assets may include systems, data, connections, staff, third parties, and other resources utilized in the processing of information.

Risk Assessment

A financial institution cannot begin to protect information assets without first identifying the critical assets in need of protection. Identification, measurement, and control of the key risks associated with information assets is the foundation an effective information security program. Security controls are developed through policy and procedure documents, continuity plans, response plans, and training programs. Risk assessment procedures provide a means to develop a comprehensive program by identifying, analyzing, evaluating, remedying, and monitoring risk. The risk assessment is a means to communicate risk severity to executive management and the board of directors to support informed decision making.

In addition to an asset-based risk assessment, each financial institution should perform a Federal Financial Institutions Examination Council (FFIEC) cybersecurity assessment. This is a focused cyber-risk assessment that facilitates continuous enhancement of an institution’s cybersecurity practices. When performed appropriately, the cybersecurity assessment becomes a driving force behind the institution’s technology and cybersecurity strategy, and effectively demonstrates the financial institution’s cyber risk and maturity alignment. A cybersecurity assessment is also recommended by regulatory guidelines.

Financial institutions are compelled to maintain a balance between governance, risk management, and compliance.  When coupled with business aspirations and complex information technology environments, this mission demands the formality of documented policies, risk assessments, continuity plans, and executive reports to support ongoing risk management.

Compliance Considerations

Compliance is the process of ensuring the financial institution’s conduct adheres to regulatory and policy guidelines and can be validated. Financial institutions have a regulatory obligation under the Gramm–Leach–Bliley Act (GLBA) as well as other federal and state laws and regulations, to protect sensitive information in a prescribed manner. Generally, these regulations symbolize a minimum standard and should not be considered adequate to address all risks specific to a financial institution without a thorough assessment of their technology environment. Compliance includes the development and observance of administrative, technical, and physical controls to protect the confidentiality, integrity, and availability of personally identifiable and account information. This introduces a set of self-imposed policies by which the financial institution voluntarily complies with regulatory requirements. The best approach to regulatory and legal compliance is to ensure Information Security Policies and procedures are aligned with governing regulations and that regulatory requirements are specifically cited in the information security program, as well as any training programs.

Financial Institution Roles and Responsibilities

The success of the information security program is the responsibility of every individual with access to sensitive information including vendors and other third parties. This requires training to ensure knowledge and understanding of specific responsibilities. Critical to this success is ensuring employees and vendors read and acknowledge the information security program policies. Strict adherence must be enforced through appropriate penalties to protect the institution and its customers or members. Clearly defined roles, responsibilities, and accountability are crucial components of the information security program.

The FFIEC recommends the board of directors appoint an Information Security Officer with responsibility for ensuring the protection of all information assets from intentional and unintentional disclosure, alteration, destruction, and unavailability. Although accountable, the Information Security Officer must depend upon others within the organization to implement and execute policies and procedures to ensure the protection of information. The board of directors, or a board committee, is also tasked with directing the information security program from the top. This includes reviewing and approving all policies at least annually, as well as reviewing reports from Information Technology Management and Steering Committees on the status of the information security program.

How we can help

CLA’s team of Outsourced Information Security Advisors can provide guidance, training, and services to help you develop or enhance your information security program. Here are just a few examples of support we can provide:

  • Information Security Program Policy Development
  • Information System Risk Assessment
  • FFIEC Cybersecurity Assessment
  • Cybersecurity and Information Technology Strategic Planning
  • Information Security Officer Training
  • End User Awareness Program
  • Annual Board Reporting on the Status of your Program
  • Business Continuity Program Development and Testing
  • Incident Response Program Development and Testing
  • Third Party Risk Management
  • Cloud Service Management

If you want to learn more now, access our complimentary library of information security training for financial institutions.  Leverage these recordings to help you navigate today’s needs and anticipate future impact, check back periodically for updates.

Tags: , , Cybersecurity, Financial Services General, Information Technology | Comments Off on Roadmap to an Effective Information Security Program

  • Managing Principal Financial Services
  • Charlotte, NC
  • 704-816-8452

Susan is a CPA with more than 20 years of combined experience in public accounting and the financial institution industry, including experience with Fortune 500 financial services companies. Susan serves as the managing principal of CLA’s financial services group. Her responsibilities include providing engagement oversight in the areas of assurance and internal audit. In addition, Susan provides board advisory and management consulting services in the areas of strategic planning and mergers and acquisitions. Susan has been involved in multiple mergers and acquisitions of sizes ranging from $150 million to $500 billion with engagement at all stages of the process.

Comments are closed.

Subscribe to Blog   

We’re committed to helping you stay on top of issues and requirements affecting financial services companies. Check back often to learn about industry updates, new regulations, technology innovations, and fresh ideas that may help you prepare for future challenges.