Many of my clients have one individual responsible for IT security and technology, regulators are not liking that…….. We once considered all technology under one umbrella and managed by one person.
The Information Security Officer needs to be independent of IT operations and report directly to the board, board committee, or senior management. This means a “very” senior level person.
This expectation is outlined in the 2015 and 2016 FFIEC IT Handbook. One states, “to ensure appropriate segregation of duties, the ISO should be independent of IT operations staff and should not report to IT operations management”. The other states, “the ISO should be in enterprise-wide risk management rather than a production resource devoted to IT operations”.
While examiners are not prone to say, you need to hire more people, they do make comments regarding lack of segregation of duties, lack of mitigation of risk and they can lower your IT rating from a “1”. Message received????
You may want to consider now just how you are/will segregate these duties internally. Document the steps you take. If you cannot totally separate these duties, document your recognition of increased risk. Also, document the boards approval and any plans you have in the foreseeable future to hire another IT skilled person, maybe 2 or 4 years down the road. Having a written plan goes far in giving your examiner a comfort level in your level of oversight.