Dear Mr. CEO: It’s Time to Make Information Security Your Responsibility

October 6, 2020

Most CEOs of community financial institutions are fully aware of the assets that must be protected. Money (both physical and digital), reputation and relationships are readily recognized as deserving of C-level attention, commanding budget and efforts in policy, procedure, management and training. But what about your data?

With all of the responsibility the leader of a community bank has in front of them, it can be easy to overlook the critical importance of information security. In fact, too often the protection of data is left solely in the hands of the IT department. This is surprising, given that for just about any financial institution, data is the organization’s most valuable asset.

Of course this isn’t to suggest that the CEO should take on direct management of IT or information security (IS) efforts. Rather, like many facets of the organization, it’s the CEO’s responsibility to set the policy and direction so that others can effectively manage it. This includes the area of information security. The good news is, contrary to many misconceptions, creating IS policy doesn’t require one bit of technical knowledge or experience.

Some key areas of focus that can help in this effort:

  • Segregation of Duties – It is the IT leader’s job to manage and secure the infrastructure of the organization. It’s the Information Security Officer’s job to safeguard your data, digital and otherwise, and to create a culture of security. These are complimentary but distinctly independent roles. In fact, with respect to information security, oversight of IT is the ISO’s responsibility. One person should not hold both of these positions.
  • Change Management – Most IT controls are created to protect the integrity and security of your data (information security). Any exceptions or changes to these controls should be subject to a change management policy and specific procedures. Again, this is part of the ISO’s oversight of IT.
  • Life Cycle Planning – Simply put, old equipment equals greater risk. Risk of both failure and breach. This involves both hardware and software, but the focus is workstations, servers, firewalls, switches and routers. From a policy standpoint it is good practice to determine how often these resources should be replaced. It doesn’t matter if it’s every three, four, five years or more. Budget and risk appetite should drive this, but it should not be left to “replace it if it breaks.” This policy will also please your CFO and CIO. The CFO is better able to budget and the CIO is better able to plan. Additionally, this eliminates the need to beg for funds every time something breaks.
  • Principle of Least Privilege – This one is simple; only allow access to those that need it. This not only helps protect your data, but also reduces necessary system resources and software licensing. This should already be in place in some parts of your organization – think HR records. Extending this across the enterprise will enhance the security of your data and should not impact employee effectiveness.
  • Data Classification – Your data will vary greatly with respect to its value and importance – from public information to customer account data. Data should be categorized and classified based on the nature and sensitivity of that data. If you can’t identify it and find it, you can’t protect it. Setting policy to identify the owners of your data is a good first step in classifying and securing it.

While this list is by no means exhaustive, it does provide a starting point for a better understanding of IS policy and better protection of your data. Spending some time exploring these areas and working with your team to make them a part of your policy and procedures will be well worth your while.

All Covered enables financial institutions by helping improve oversight, complex security and IT processes, ensuring compliance with ever changing regulations, and strengthens your institution’s cybersecurity posture. Contact us today to learn more.

Dave McOlgan
CISA – MBA, Information Security Consultant, Finance