June 14, 2018
Who is Responsible for this? – WST
It is fairly common for questions to come up relating to who is responsible for various information security-related systems and monitoring functions. Questions like “Who is responsible for the log monitoring system?” or “Is it my job as the bank’s ISO to run the antivirus system?” are frequently asked.
The short answer is the Information Security Officer (ISO) should not have administrative access or functions. The role is one of an overseer and consultant. Of course, there are exceptions, especially for smaller and less complex environments. Bluntly, if you only have one person on staff that understands the technology systems that are in place, then they may be responsible for IT administration AND monitoring. If that’s the case, then the assigned ISO should be better-than-average at transparency and reporting detail.
A similar issue is one that can occur when a person is thrust into the role of ISO for the first time and is unsure of what they should be reviewing and monitoring. Determining where the responsibility of the IT department ends and their own role begins can be challenging. In this case, the ISO should have a documented job description that clearly defines their responsibilities and is approved by senior management (ideally, by the Board of Directors). The job description can then be used to help delineate whether the ISO or IT department have been assigned specific tasks. Again, regulatory guidance states the ISO should be separate from the IT department and not perform administrative functions, and instead should be in an oversight and monitoring role.
Returning to the two questions posed above, the IT department should be responsible for the implementation, administration and operational monitoring of the log management and antivirus systems. The ISO must also have unfettered monitoring visibility, including timely alerts when anything suspicious is detected by the antivirus or log management systems.
For more information, check out our https://10dsecurity.com/prod/ill-tell-you-what-you-need-to-know/