This is an example of an organizational structure. Select Next to learn more about how it is designed to avoid conflicts of interest through implementing separation of duties.

Operations and network administration should be independent and separate of the data security department.

Audit is totally independent. Audit reports should not go directly to management. They should go to the Audit Committee or directly to the Board.

Proof or capture personnel and tellers that use deposit capture devices should be separated from other computer operations personnel.

Data security is separate from other operations. The security department should have sufficient audits to take appropriate actions and report to senior management or the Board.

In order to ensure independence and avoid even the appearance of undue influence on reporting of issues, the Chief Risk Officer and Chief InfoSEc Officer (CISO) should report directly to the Audit Committee. The may however, report through senior management for administrative issues (e.g., leave, travel, etc.)