On the Job: Checklist for Signing off on Information Security Projects

What's the most important factor in signing off information security projects at a bank? For Jon Pascoe, Director of Information Security at Arvest Bank located in Arkansas, the highest consideration is adequately protecting customer data and information and reaching higher standards in safeguarding confidential information.

Other factors to be considered are:

Is a customer privacy impact assessment performed to check a bank's ability to protect customer information?
Is the project in compliance with the federal rules and regulations?
If a third-party service provider is involved, does the vendor satisfy the bank's due diligence standard? Does the vendor have information security programs and assessments in place? Do they comply with federal regulations, and are they aware of the risks associated with non-compliance?
What is the project's impact on information security?
What are the business and information security risks involved in implementing the project? Has a complete project risk assessment been executed?
Do we have controls in place to ensure risk mitigation and reduction? Do we have an alternate risk plan for assessing risks associated with new regulations?
Is the project aligned with the business and strategic objectives? For example, the strategic goal of the bank is to get more customers. The projects should then address "What do we need to do to achieve this objective, probably look into investing in more sophisticated online tools, implement merchant capture or expand branch capture etc".

"Banks take these factors very seriously while signing off security projects and ensure that priority is given to customer privacy as well as strategic objectives where in compliance plays a vital role says", Pascoe.

Usually, financial institutions have a multi disciplinary committee or an IT steering committee that provides guidance on planning, evaluating, controlling, selecting and prioritizing information security projects, adds Pascoe. This committee is a representation of members from all areas of expertise including IT, Finance, Security, Compliance, Audit, and Business, which reviews all aspects of the project, based on project need, requirements, cost-benefit analysis and overall probability of project's success.

The committee also approves the project from a security, privacy and governance standpoint and ensures that project processes and controls are aligned with federal regulations. The chairperson of this committee or the chief information security executive (CISO) generally has the final authority and say in signing off projects.





Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.