The Information Security Program at Banks and Credit Unions is getting to be a pretty complex thing. Policies, audits, reviews, board reports, meeting minutes, monitoring, business continuity, and risk assessments all play a part, to name just a few. It's getting to be too much to keep track of in your head, and as I have found the hard way, too much to keep track of in an excel spreadsheet.
About 18 months ago, I created an "ISP Calendar" for one of my clients to track all the activities that were required in an annual cycle of the information security program, and at the time, it was awesome. Examiners loved it, management loved it, IT staff loved it, and it made my job as the virtual ISO much easier.
But during that time, I've found a more dynamic system that can assign tasks to multiple parties, handle recurring tasks, create an audit trail, send out email reminders, and deliver meaningful reports was a better way to go. The old excel spreadsheet required too much manual labor, and items could still fall through the cracks.
So I've been working with several of my clients to test a solution that automates some of this process, and they've been pleased with the results so far.
Here are some of the benefits they've been experiencing:
- Organized outline of the entire Information Security Program with assigned responsibilities and due dates
- Audit trail of what security tasks were completed by whom and when demonstrates proactive management of ISP to examiners and auditors
- Email reminders of upcoming and overdue tasks that have been assigned to them
- Co-Sourced or Out-Sourced ISO environments gain clearer understanding of roles and transparent oversight
- Procedures can be included with each task to ensure that staff follow a repeatable structure
- Fully documented requirements and expectations improve continuity for Information Technology and Information Security Staff
- Reporting to management and the board for a quick glance of the status of the ISP
- Visually identify dependencies, bottlenecks, and overload of the ISP cycle to balance workload and staff responsibilities
Regardless of what system you use (even if you start with excel), I recommend putting some of these ideas to action to improve the overall management of your Information Security Program.
And if you are interested in moving to the next level with your ISP and don't know where to start, contact me here, and I'll help you get the ball rolling.
See samples below: