Last time we addressed a question from the FDIC IT Examination Questionnaire, found in PART 2, OPERATIONS SECURITY AND RISK MANAGEMENT titled “Do you have a process in place to monitor and adjust, as appropriate, the information security program”.
This time, we take a closer look at another potentially troublesome Part 2 question;
“Does the bank’s strategic planning process incorporate information security (Y/N)?”
Once again, the optimal answer is “Y”, but documenting compliance is a bit tricky because this is a complex question. In fact, it’s really several questions with multiple parts, all requiring a “Y” answer.
- Do you have a strategic planning process?
- Do you have an enterprise-wide strategic plan?
- Do you have an IT strategic plan?
- Does the IT strategic plan support the overall enterprise-wide strategic plan?
- Do you have an risk-based information security program?
- and finally (assuming “Y” to all the above)… Does your strategic planning process incorporate information security?
The reference for this is the FFIEC IT Examination Handbook, Management, June 2006, and although the entire document is an excellent guide for how management can address and control information security, I think the most relevant reference to the issue of strategic planning and information security is found on page 22:
“IT strategic plans provide insight into the organization’s planning process. Review and analysis of the strategic plans as part of the risk assessment process (my emphasis) may spotlight developing risk exposures or other deficiencies that limit the institution’s ability to implement strategic priorities.”
The FFIEC suggests that strategic planning be incorporated into the risk assessment process. As I mentioned in my previous post, (and highly recommended by the FFIEC on page 5 of the same Management Handbook) the IT Steering Committee is the most logical forum for risk assessment process provided the committee consists of representatives from all departments, operates from a standardized agenda, and keeps meeting minutes. (There is one more requirement; that it assign responsible parties to the issues and findings that arise in the meetings, and follow them through to resolution. More about this in my next post).
So, assuming you have both an overall strategic plan, and an IT strategic plan, and assuming you incorporate discussion of these plans in the risk assessment section of your IT Steering Committee agenda, then the answer to this question is “Yes, The process is guided by the FFIEC Management Handbook, coordinated by our IT Committee, and documented in the meeting minutes.”
Next time, in Part 3; “Are project management techniques and system development life cycle processes used to guide efforts at acquiring and implementing technology (Y/N)?”