Skip to main content


Building Out the Core Responsibilities of an ISO

Building Out the Core Responsibilities of an ISO

There are plenty of different roles and responsibilities a financial institution has to consider; however, one of the more difficult roles to address is that of the Information Security Officer (ISO). Why is this? Well, the problem might be because the ISO is one of the newest roles the long-lived banking industry has had to implement, or perhaps it’s because the responsibilities expected of the ISO are typically outside of management’s area of expertise - finance.  

Even though all financial institutions have been expected to assign the role of ISO for nearly two decades, many organizations are seemingly still working to flesh out the specific responsibilities that an Information Security Officer should handle.  

The good news is that we have the good old FFIEC IT Management Booklet to help us out.  


Digging Into the IT Management Booklet 

When looking to the FFIEC IT Booklet to build out documentation, sometimes the biggest hurdle can be to know exactly where to look. There are numerous booklets in the FFIEC IT Handbook repository, with even more information to digest. A good place to start may or may not be a surprise to most: the IT Management Booklet.  

While the IT Management Booklet does not have a specific focus on “Information Security,” it does break out the hierarchy of IT Management, including that of the ISO. Section “I.A.2 IT Management” contains a good overview of the ISO (or CISO for larger organizations) role, as well as some of those core responsibilities that are expected of the title. The following bulleted items give a solid high level of the expectations typically assigned to the ISO role.

An ISO should: 

  • Implement the information security strategy and objectives, as approved by the Board of Directors, including strategies to monitor and address current and emerging risks 
  • Engage with management in the lines of business to understand new initiatives, providing information on the inherent information security risk of these activities, and outlining ways to mitigate the risks 
  • Work with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information 
  • Monitor emerging risks and implement mitigations 
  • Inform the Board, senior management, and staff of information security and cybersecurity risks and the role of staff in protecting information 
  • Champion security awareness and training programs 
  • Participate in industry collaborative efforts to monitor, share, and discuss emerging security threats
  • Report significant security events to the Board, steering committee, government agencies, and law enforcement, as appropriate 


Digging a Bit Deeper – Information Security Booklet 

While the IT Management booklet may give you a good idea of the less-detailed overview of the ISO’s responsibilities, it doesn’t quite break it out into the detail you may need to truly capture the job duties of an ISO. In order to do this, there is a bit more digging that could be done to find out exactly what some of the previously bulleted items mean, such as “Implementing the information security strategy and objectives.”  Much of this information can be pulled directly from the Information Security Booklet, which details what should be built out as part of our Information Security Program.   

To start, the “Responsibility and Accountability” section of the IS Booklet (1.B) states “Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program.” 

When digging into the Information Security Booklet, the responsibilities that were noted in the above section from the IT Management piece begin to take shape, and while the noted bullets may be reasonably used to build out the core responsibilities of the ISO, you can use the Information Security Booklet to find what those responsibilities should entail in a bit more detail. Additionally, according to the Information Security Booklet, the ISO should: 

  • Report directly to the Board of Directors or Senior Management 
  • Have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks 
  • Be independent of the IT operations staff and should not report to IT operations management 
  • Respond to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information 
  • Manage the negative effects on the confidentiality, integrity, availability, or value of information 
  • Minimize the disruption or degradation of critical services 

Many more responsibilities may be detailed when building out your Information Security Program, as your ISO is going to be responsible for not only the implementation and management of the document but also the communication of the document to the Board of Directors. Naturally, as you add more policies and controls to the Information Security Program while working towards your information security strategy and objectives, additional ISO responsibilities are likely to be outlined as well. The bulk of those responsibilities will still entail the “management, implementation, and communication” of the Information Security Program at their core, but the details of those requirements will be built out through the controls that are added through that document. 


Pulling the IT Management and IS Booklets Together 

You can also go beyond building out the responsibilities within the Information Security Program. The final result of your core responsibilities should be able to link the responsibilities laid out in both the IT Management Booklet and the Information Security booklet. For example, the following responsibilities are pretty naturally combined to outline the expectations from both Booklets. The ISO should: 

  • Report directly to the Board of Directors or Senior Management 
  • Maintain sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks 
  • Maintain independence from the IT operations staff (The ISO should not report to IT operations management) 
  • Take charge of the implementation, management, and enforcement of information security directives as mandated by GLBA 
  • Ensure the ongoing integration of information security with business strategies and requirements 
  • Ensure that the access control, disaster recovery, business continuity, incident response, and risk management needs of the organization are properly addressed 
  • Lead information security awareness and training initiatives to educate the workforce and customers about information risks 
  • Perform or manage ongoing information risk assessments and assessments to ensure that information systems are adequately protected and meet GLBA certification requirements 
  • Work with vendors, outside consultants, and other third parties to improve information security within the organization 
  • Lead vendor management efforts to ensure adequate performance and security practices are in place 
  • Lead an incident response team to contain, investigate, and prevent future computer security breaches 
  • Subscribe to threat notification networks, new regulations, and information sharing networks to stay current on requirements and new threats to the industry 

Clearly, this is not a be-all, end-all definitive list of ISO job responsibilities. As mentioned earlier, there will be other duties that will be identified through simply implanting and carrying our information security responsibilities at an organization. The size and complexity of your organization will also factor into the performance of other responsibilities or sharing some of these responsibilities at your organization. The above lists should give you a good start to building out an ISO job description, though. 


The Importance of an ISO 

Your ISO cannot simply be a box to check when assigning roles. One of the biggest impacts to your organization’s security, as well as the success of your IT-related audits and exams, will boil down to the effectiveness of your ISO in carrying out and understanding their role. Remember, having an ISO who does not have the proper resources or the time to carry out their assigned responsibilities will eventually lead to more and more control failure, resulting in policy non-compliance.  

While the correct assignment of responsibilities for an ISO is important, the correct assignment of the individual or individuals to take on this role might be the most important component to an ISO. Make sure your ISO has the proper training, education, time, and resource to perform his or her job properly.  


Written by: Cole Ponto 
Information Security Consultant – SBS CyberSecurity, LLC 


SBS Resources:

  • {Service} Cybersecurity Partnership: Whether you’ve got an active team of cybersecurity experts or cybersecurity is just one of your many sole responsibilities, SBS can help you strengthen your systems and keep you informed through our vCISO services or a CyberSecurity Partnership (CSP). A CSP is different from a Virtual Chief Information Security Officer (vCISO) service in that with a CSP, you have more control when it comes to making security decisions.
  • {Cyber Byte Video} Most Critical Responsibilities of an ISO: Having the role of ISO at any organization is a major responsibility. What principles of management will make you successful?


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Business Security Manager

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, May 29, 2019
Categories: Blog