[BreachExchange] The (Regulated) Rise of the CISO

[Audrey McNeil]

http://www.jdsupra.com/legalnews/the-regulated-rise-of-the-ciso-34191/

The proposed New York Department of Financial Services Cybersecurity
Requirements for Financial Institutions (the “Regulation”) has many
different aspects that are designed to bring about overall improvement in
cybersecurity programs. One that has yet to be explored is how the
Regulation elevates the role of the Chief Information Security Officer (the
“CISO”) beyond the traditional role at many financial services companies.
The Regulation has detailed requirements for what must be included in a
company’s cybersecurity policy and procedures. While most of the
requirements are standard for information security policies, a few place
responsibilities for areas of business that are necessary for
cybersecurity, but go far beyond cybersecurity within organizations.

One of the requirements is for inclusion of data governance and
classification. Data must be appropriately classified and governance rules
applied for proper cybersecurity. However, data classification includes
many topics, such as licensed data, third party confidential information,
 company confidential information, intellectual property and many others.
Data governance ensures that data when correctly classified is used in a
manner appropriate to the business need, objectives and in compliance with
laws and regulations.

The Regulation also requires business continuity and disaster recovery
planning and resources be a part of the cybersecurity policy and
procedures. In many companies, the executive responsible for these areas
and resources is does not report to the CISO. Business continuity and
disaster recovery planning also goes far beyond traditional cybersecurity
planning, and yet is critical to cybersecurity effectiveness.

Customer data privacy (although interestingly, not employee data privacy)
is also required to be included in the cybersecurity policy. Many companies
have a Chief Privacy Officer who has operations, policies and procedures
separate from the CISO. The Regulation conflates these areas.

The same applies to physical security and environmental controls, and
vendor and third party service provider management. These are operations
that are also critical to cybersecurity, and yet, the functions have much
broader responsibilities. At some institutions, they are well connected. At
others, they are not. The Regulation seems to take the position that
cybersecurity risk management in these areas is primary.

Perhaps of farthest reach is the requirement for capacity and performance
planning to be included in the cybersecurity plan. These are usually the
purview of the Chief Information Officer, to whom the CISO often reports.
Appropriate operations of systems is critical to protecting the
availability and integrity of IT systems. It is also required for the
technical operations of the entire enterprise.

The Regulation not only requires financial institutions to focus more
explicitly on the cybersecurity program, it also appears to require the
elevation of the CISO in order to appropriately manage a broader set of
responsibilities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160922/92624cc7/attachment.html>