…and how to answer them. Actually, answering them is the easy part, they all require a “Y”. Documenting the basis for your answer is a bit harder. Because each question really requires it’s own discussion, I will address each one in separate posts. Also, the questionnaire I will be referring to is the newer 12/07 version, the one with Part 5 titled “Vendor Management and Service Provider Oversight”. I’ll use this because it is the most recent, and as I posted previously, some State Banking regulators have started adopting it as well.
So, our first question is found in the “Part 2 – Operations and Risk Management” section, and asks:
“Do you have a process in place to monitor and adjust, as appropriate, the information security program (Y/N)?”
The reference for this question is found here, and again, the optimal answer is “Y”. In FDIC-speak, a “process” means assigned to a committee (or other responsible party), guided by an standardized agenda, and documented. The Board of Directors and Senior Management are ultimately responsible for the information security program, but often delegate day-to-day responsibility to an IT or Technology Committee. This practice is strongly encouraged by the FFIEC, which states in the IT Examination Management Booklet that;
“Many boards of directors choose to delegate the responsibility for monitoring IT activities to a senior management committee or IT steering committee.”
Since the IT Committee should already have responsibility for day-to-day IT governance, placing them in charge of the information security program is a natural extension of their duties. Simply make sure that the committee operates from a standard agenda, and that all meetings are documented. Your full answer to this question is “Yes. The process is coordinated by our IT Committee, and documented in the meeting minutes.”
Next…“Does the bank’s strategic planning process incorporate information security (Y/N)?”