Sam Dekay

Who’s In Charge Here? The Problem of Information Security Governance

The “Interagency Guidelines Establishing Standards for Safeguarding Customer Information,” published in the Federal Register in 2001 to assist financial institutions to comply with the privacy safeguarding provisions of Gramm-Leach-Bliley, contains a passage relevant to the matter of InfoSec governance:

The Agencies invited comment on whether the Guidelines should require that the board designate a Corporate Information Security Officer or other responsible individual who would have the authority, subject to the board’s approval, to develop and administer the Institution’s information security program.  The Agencies received a number of comments suggesting that the Agencies should not require the creation of a new position for this purpose.  Some financial institutions also stated that hiring one or more additional staff for this purpose would impose a significant burden.  The Agencies believe that a financial institution will not need to create a new position with a specific title for this purpose, as long as the institution has adequate staff in light of the risks to its customer information.  Regardless of whether new staff are added, the lines of authority and responsibility for development, implementation, and administration of a financial institution’s information security program need to be well defined and clearly articulated.

Following this passage, which narrowly defines the issue of information security governance in terms of accountability, the Agencies note that prior regulations (e.g., 12 CFR 21.2) already require financial institutions to appoint a security officer.  However, perusal of these regs reveals that the required “security officer” is involved primarily with physical security-such as the protecting of banks from robberies and burglaries; information security is not mentioned.


  1. SecurityExec Aug 8, 2008 at 5:35 pm | Permalink

    I think it’s great that such an article has been written. Despite having a somewhat vested/biased interest on the topic (I am a security executive) I think there are some very relevant points that are compounding the problem of governance (and, ultimately, the overall effectiveness of information security.) Governance and accountability are arguably what’s needed most to help truly achieve better information security across the board. Unfortunately, as we’ve seen too often, the regulatory agencies, lawmakers, and industry itself shy away from establishing accountability. It’s much easier (politically) to continue to focus on the technology rather than address the real issue. Business leaders are always going to look for the path of least resistance – hence the reason we’re seeing a lot of companies revert to positioning security and risk managers/executives down the corporate ladder, usually back into the technology ranks. Until someone steps up (the regulators/agencies should have been leading the way on this long ago considering their increasing talk about the need to improve security of financial information) the business world simply isn’t going to accept more responsibility or accountability than it absolutely has to. That directly translates into security, privacy, and risk management reverting back to operational and technology-specific roles rather than being at the level needed for efficacy – closer to the executives and Boards of Directors.

  2. Bouch Aug 19, 2008 at 2:05 pm | Permalink

    I work for a federally funded research and development center that has to abide by a variety of government regulations, such as the NISPOM that clearly identifies roles within information security. In short, the ISSO’s are the hands on computer security folks separate from the regular IT staff. They report to the ISR’s who work on the policies, procedures, and certifications. The ISR’s are the pawns of the ISSM who oversees the entire security posture similar to a CISO. However, these government regulations are not enforced within the private sector. Hopefully, as corporations keep being infiltrated and sensitive customer information is leaked publicly, the citizenship will stand up for a universal information security standard for private corporations.

Post a Comment

Your email is never published nor shared. Required fields are marked *