Are we required to have an Information Systems Security Officer?
Yes, someone in your organization must have this title. It is not required that this be a separate position. For instance, someone in the IT department might be designated for this role, in addition to other duties. We require that you schedule security training for that individual, and document a daily security task list (review event logs, patch servers, etc.)