Skip to main content


Reporting Critical Information Security Areas Upstream

Reporting Critical Information Security Areas Upstream

One of the most critical aspects of any Information Security Program is communication and sharing information. This is especially true with Executives and Board of Directors, who need to be educated and informed on all aspects of information security so they can ask better questions and make appropriate decisions. If the top level of the organization better understand the risks and the impact potential, it will help build a stronger information security culture throughout the organization.  


A Framework for Asking Better Questions 

Before we dive into the types of information and areas of your Information Security Program (ISP) that should be shared upstream, let’s talk about a framework of how to get Directors and senior management to ask better questions.  

The foundation of your ISP is your risk assessments, specifically your IT Risk Assessment, Vendor Risk Assessment, and Business Process Risk Assessment (also known as Business Impact Analysis). However, your Directors and senior management don’t often know what to look for or what’s appropriate for these risk assessments. So how can you get them to ask better questions? Share this simple framework with your top-level folks and have them ask you these questions around your risk assessments: 

  1. What are our most important things - IT assets, vendors, business Processes, etc.? 
  2. What are our most risky things? Could be Inherent Risk or Residual Risk.
  3. Have we set goals around acceptable levels of risk for IT assets, vendors, business processes, etc.? 
  4. If we have goals, are we meeting those goals? 
  5. What are our next steps? 

These five simple questions will help them to get to the areas of most concern to the organization, make better decisions, and identify where you need to spend your next information security dollar. 


What Information Should Be Shared? 

A challenge many organizations face is determining what information and reports should be shared with the Board of Directors and senior management. The above framework should be a building block for what information should be shared. Keep in mind, the top level of the organization needs to know how well the organization is managing the Information Security Program and how that compares to peers.   

Let’s start with what may be considered the top four areas - IT Risk, Organizational Risk, Third Party Risk and Emergency Preparedness.

  • IT Risk Assessment - The Board and senior management should understand the most important IT assets, as well as the most risky IT assets before and after mitigating controls have been applied. If certain IT assets exceed the organization’s acceptable risk level, a plan should be provided to identify what is needed to lower the risk to an acceptable level. This information is important when deciding where to invest in additional security controls.  
  • Organizational Risk/Cybersecurity Assessment – Every financial institution should be conducting a cybersecurity assessment at the organization level. The most common organizational risk assessment framework is the FFIEC Cybersecurity Assessment Tool (CAT). The Board and senior management should understand the institution’s Inherent Risk Profile, as well as the Cyber Maturity Levels of each CAT Domain. If the organization is not meeting its maturity goals, the top level of the organization should understand the plan to meet its cybersecurity maturity goals, including the steps or controls needed and resources required to implement those controls. 
  • Vendor Management and Risk Assessment - Vendors play a critical role in the ability of most institutions to function on a daily basis. The selection and management of those vendors are equally important. The Board and senior management should understand who the institution’s top 5-10 most critical vendors are, and any vendors that may be on a “watch list” due to concerns identified in the due diligence process. If a vendor is on a “watch list,” the top level of the organization should understand what is being done to address the concerns. 
  • Emergency Preparedness - It’s critical to communicate how well the organization is prepared to respond to service-impacting incidents, such as natural disasters, fire, security breaches, pandemic, etc. The Board and senior management should ensure that appropriate plans are documented and updated annually, including a Business Continuity Plan, Business Impact Analysis (BIA), Incident Response Plan, and a Pandemic Preparedness Plan. The top level of the organization should ensure these plans are tested annually, and the test results include follow-up action items that are addressed and tracked going forward. 

The items below are additional, important information security areas to report upstream but may vary for some organizations: 

  • Exam and Audit Findings – Findings and the remediation steps should be reported to Directors and senior management for the following: Regulatory Examinations (FDIC, OCC, NCUA, etc.), Internal/External Audits, Vulnerability Assessments, Penetration Tests, Social Engineering Assessments, results of other testing, and results of risk assessments (including next-steps). 
  • Training and Testing – Security Awareness Training and Testing should be inclusive of all employees and the Board of Directors. The Board of Directors and senior management should be aware of all the related trainings that have been completed, including the results of testing with peer comparisons. 
  • Progress on IT Strategic Initiatives – The Board of Directors and senior management should understand what actions are being taken to meet the initiatives outlined in the IT Strategic Plan. 
  • Incidents Affecting the Organization – The Board of Directors and senior management should be aware of all recent fraud events, information security incidents, and any filing of Suspicious Activity Reports (SARS). 
  • Changes to ISP-Related Policies and Procedures – All policies need to be reviewed and approved by the Board of Directors annually. 
  • New Regulations – The Board of Directors and senior management should understand the details of all new regulations applicable to the organization and the impact imposed. 
  • Budget/Staffing – If additional funding or resources are needed to achieve the requirements of the Information Security Program, such resources need to be brought to the attention of the Board of Directors and senior management.  


Upstream Reporting Frequency 

The goal is to have information security be a topic at every Board meeting and sufficiently documented in Board minutes. Keeping information security at the top of decision-makers’ minds reinforces the importance of and promotes a culture of security. 


Culture Starts at the Top 

Information security culture and initiatives must be driven from the top down to truly be successful in today’s environment. If information security is the 5th or 6th priority for an organization or a position, then the state of that organization’s security will be drastically weakened, and initiatives will constantly be reactive. However, if information security is prioritized from the top down, IS initiatives will be properly resourced, and the organization will be much more secure and proactive when it comes to security. 


Written by: Terry Kuxhaus 
Sr. Information Security Consultant – SBS CyberSecurity, LLC 


SBS Resources:

  • {Solution} TRAC: TRAC™ is our integrated cybersecurity risk management solution developed to simplify cybersecurity risk management and assist users with tackling their cybersecurity challenges with ease. It automates the tedious risk assessment process and produces customized results that align with regulation, best practices, and your strategic goals.
  • {Service} Executive/Board of Director Training: This training is used to help organizations become more knowledgeable in the topics of information security. This helps lower the risk of falling victim to some of the attacks and methods being used today, along with helping you stay compliant with laws and regulations. Keep in mind that Information Security is the responsibility of everyone at the bank, not just an individual or committee.
  • {Cyber Byte Video} Cybersecurity for Directors: According to FFIEC guidance, the "board of directors sets the tone and direction for an institution's use of IT." What does a Board need to be doing to demonstrate that they value the cybersecurity risk in your Information Security Program and can be a "credible challenge to management"?
  • {Blog} Cybersecuring Your Directors: The most successful financial institutions take the following approach to technology and cybersecurity training.
  • {Infographic} 10 Key ideas to Build a Cybersecurity Culture Infographic: Most organizations today realize that they can have the best security money can buy, but if one employee clicks a link or downloads an attachment form an email, all of that security is thrown out the window.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Business Security Executive

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, May 23, 2019
Categories: Blog