The Director’s Role in Information Security

By: Mike Detrow, Senior Consultant and Manager of IT

Technology has changed significantly at community banks over the past 15 years. For many years, banks only had to manage a core processing system, a standalone Fedline PC, and a few workstations that were used for word processing and maintaining spreadsheets. These systems were relatively easy to secure as data was maintained in-house and connectivity to external networks was limited. Fast forward to 2017 and community banks now have connections to numerous outside networks including the internet and those of core processing vendors. Services are being offered to customers through cell phones and tablets, customer data is processed through websites, and data is stored in many locations that are not controlled by the bank.

Whether making a loan, depositing a check, or checking a customer’s account balance, nearly every function within the bank now relies on some form of technology. To remain competitive, the implementation of new technology is necessary to meet the needs of customers and to reduce a bank’s operating expenses. However, information security has often been an afterthought rather than being incorporated during the implementation process.

Regulators are emphasizing the need for a change to the security culture within community banks to make information security a higher priority, and this change must begin with the board of directors. The board must take a more active role in the oversight of the bank’s information security program. All too often, information security is treated as something that only the “IT person” can understand, and directors do not properly scrutinize the decisions made by the IT Manager or an outsourced technology support provider. The board of directors is ultimately responsible for the security of the customer information maintained by the bank and the third parties that the bank uses. As such, directors must have a clear understanding of the regulatory requirements for protecting customer information, as well as defining and monitoring the bank’s information security program. While directors may not fully understand all of the technical aspects, I have provided some general recommendations for overseeing the information security program within this article.

Recommended Documents
The following documents should be reviewed and approved by the board of directors on an annual basis, or more frequently depending on the changes that occur within the bank. While much of the information in these documents will not change, there will typically be some changes each year due to employee turnover, technological changes, or new regulatory guidance. These changes should be clearly documented to allow directors to evaluate the changes before approving the updated documents. If there are no recommended changes to these documents over a period of several years, directors should request an explanation from management.

  • IT Strategic Plan. An IT Strategic Plan should be in place to align IT initiatives with the bank’s overall strategic plan. This may include the implementation of additional products and services to compete with other financial institutions or the implementation of technologies to create internal efficiencies. The IT Strategic Plan may also identify systems that are approaching the end of their manufacturer’s support lifecycle and identify upgrade/replacement strategies.
  • IT Budget. The budgeting process should include information technology and information security expenses such as hardware and software maintenance, technology service provider expenses, contract renewals, recently approved project expenses, training expenses, and risk mitigation expenses.
  • Information Security Program. The Information Security Program identifies the technical, physical, and administrative safeguards that must be implemented to maintain the confidentiality, integrity, and availability of the bank’s information systems.
  • Information Security Risk Assessment. The Information Security Risk Assessment should identify the information systems that are in use, classify the data that the information systems store or process, identify the threats and vulnerabilities associated with each information system, identify the likelihood and impact of the risks, identify the mitigating controls that have been implemented, and evaluate the effectiveness of the mitigating controls. The risk assessment should be updated before implementing new information systems and as new threats are discovered.
  • Incident Response Plan. The Incident Response Plan should identify the procedures to be performed in response to an incident involving loss of data availability, confidentiality, and/or integrity, such as a breach. The steps of this plan should include containing the incident, recovering from the incident, the investigation process, and the notification process. This plan should be tested on a regular basis to evaluate the effectiveness of the response procedures for various types of incidents.
  • Business Continuity/Disaster Recovery Plans. The Business Continuity and Disaster Recovery Plans identify procedures for performing the bank’s business processes during or following various types of operational interruptions. These procedures must be tested on a regular basis to ensure the continuity of these business processes during a variety of disruptive events, such as natural disasters, service provider interruptions, and cyber-attacks.
  • Cybersecurity Assessment. A formal Cybersecurity Assessment should be performed to evaluate the bank’s inherent cyber risk and the effectiveness of its cybersecurity controls. If the bank is utilizing the FFIEC’s Cybersecurity Assessment Tool, an understanding of the relationship between the Inherent Risk Profile and the Cybersecurity Maturity Level is required. Plans for attaining the recommended Cybersecurity Maturity Level should be developed and the status of this process should be monitored. The Cybersecurity Assessment should be reviewed annually and updated when changes occur that affect the bank’s Inherent Risk Profile.

Recommended Reports
The Information Security Officer should provide information security program status reports to the board of directors on at least an annual basis. These reports should identify the risk assessment process, risk management and control decisions, service provider arrangements, results of independent testing of the information security program, security breaches, and recommendations for updates to the program. While some of the content within these reports will not change, these reports should reflect the actual activity since the last report and should not just be the same report with a new date at the top.

While many community banks have implemented a steering committee to manage their information security programs, directors still need to ensure that the program is effectively managed. If a steering committee is used, a formal charter should be in place to define the committee’s purpose and responsibilities. The board of directors should receive copies of the steering committee’s meeting minutes to monitor committee activities and to ensure that it is fulfilling its requirements.

Information system reports and service provider reports should be regularly monitored to identify any events that require further investigation. Some examples of the reports that should be reviewed by the steering committee or the board of directors include: ƒƒ

  • Patch management
  • Firewall
  • Intrusion detection system
  • Intrusion prevention system
  • Anomalous operating system events
  • Malware/virus protection
  • Managed services provider tickets
  • Vendor management

If the reports that are provided never indicate any anomalous activity that requires further investigation, directors should question the validity of the reports and request a review of the reporting parameters for the system(s).

Independent Audits
To assist the board of directors with its evaluation of the effectiveness of the bank’s information security program, periodic independent audits should be performed. These audits are typically performed on an annual basis depending on the size and complexity of the bank and its risk assessment. The board of directors or the audit committee should be involved in the external auditor selection process and the audit scoping process. At least one director should participate in the auditor’s exit meeting to ensure an understanding of any recommendations made by the auditor.

Conclusion
The use of a top-down approach to manage information security and holding employees accountable for complying with the bank’s information security program will greatly strengthen the security culture within the bank. A strong security culture will help to enhance the bank’s reputation among its customers, community, and the financial industry.
For more information on this article or on how Young & Associates, Inc. can assist you in this process, contact me at 330.422.3447 or mdetrow@younginc.com.