Setting up a corporate Information Security Steering Committee

Written on January 18, 2011 by in Articles

Setting up a corporate Information Security Steering Committee

A security steering committee is crucial for effective management of security, compliance and regulatory requirements for any organization. If your organization has matured enough to consider setting up a security steering committee, these small guidelines will help you do it effectively.

Approach:

  1. Identify the right members for the committee. Ideally the minimum required departments must include the CISO, HR, Finance, Internal Audit, Legal and Administration team
  2. Setup a Membership approval process. Any addition to the CISSC must be approved by the CEO and CIO
  3. Identify the committee responsibilities. This is crucial as it should not happen that the quarterly meetings end up only as review meetings with the CISO on incidents.

Template for Security steering committee:

Here is a template you can use to draft a charter for the security steering committee -

Purpose

This committee provides leadership in the protection of <your company> (System) information assets and technology. The committee members advise on and prioritize the development of information security initiatives, projects and policies as advocates for the constituents of the System.

Scope

Provide guidance and leadership to maintain and improve the confidentiality, integrity and availability of information across the System. The committee may establish working groups or subcommittees to identify and develop strategic direction and recommendations.

Membership Structure

The Committee will be co-chaired by an Office staff of the CEO and CIO.

Committee membership includes:

  • Director of the Information Security Office
  • Human Resources
  • Finance
  • Internal Audit
  • Legal
  • Admin

Membership Approvals

Committee Membership will be approved by the CEO and CIO based on the technology vision and enthusiasm which those at large members will bring to the committee. The committee will annually review membership and recommend changes after considering needs for continuity and expertise as well as the need to encourage change and opportunities to participate.

Committee Responsibilities

  1. Managing the development and executive acceptance of an enterprise security charter.
  2. Assessing and accepting corporate-wide security policy (e.g., the corporate policy on security incident response, general behavioral policy). A major objective of this function is ensuring that business requirements are reflected in the security policy, thus ensuring that the policy enables rather than restricts business operations.
  3. Assessing any requests for policy exceptions from individual business units.
  4. Assessing, accepting, and sponsoring corporate-wide security investment (e.g., identity infrastructure deployment, remote access infrastructure), as well as requests to be excluded from common investment.
  5. Providing a forum for discussion and arbitration of any disputes or disagreements regarding common policy or investment issues.
  6. Acting as custodian and governance body of the enterprise security program by ensuring visible executive support, as well as monitoring progress and achievements. The role of a permanent governance structure reinforces the message that enterprise security becomes an ongoing, long-term initiative.
  7. Assessing and approving the outsourcing of common security services, as well as coordinating investment in appropriate relationship management resources. As the lack of skilled resources increases the need to outsource operational services, executive due diligence, risk assessment, and ongoing effectiveness assessment must be coordinated through the steering committee.
  8. Initiating ad hoc projects to investigate the advantages, disadvantages, risks, and cost of common security initiatives, and advising the committee with appropriate recommendations.
  9. Representing the executive (board of directors) or its nominated information governance body (e.g., an information executive board) in all corporate security matters. Reporting back to these forums on the activities and effectiveness of corporate security programs and investments.
  10. Acting as custodian of corporate-wide strategic security processes (e.g., role analysis, data classification) by validating process ownership, responsibilities, and stakeholders.
  11. Acting as respondent to enterprise-level audit exceptions (i.e., those audit exceptions where a specific individual cannot be found to be responsible).
  12. Coordinating and validating any external, security-related corporate communications plans and activities (e.g., in the event of a high-profile, publicized security breach).
  13. Tracking major line-of-business IT initiatives to identify opportunities for synergy or to leverage security investment.
  14. Governing trust relationships with major e-business partners.
  15. Facilitate awareness and cooperation between the security program and System business units

Meetings

Meeting Schedule – Meetings will be held on the fourth Wednesday of each month <or any day as decided> from <time>. Online meeting / video conferencing or similar solution will be utilized to minimize travel and increase participation.

Decision Model

Decisions will be made through member consensus. Disputes will be resolved by the Office of the CEO and CIO staff member associated with the committee.

Meeting Agenda

An agenda will be drafted by the committee co-chairs with consultation from committee members, staff, and other stakeholders. The draft agenda will be distributed to committee members on the Friday preceding the meeting. Feedback will be incorporated into the final draft agenda which will be presented for adoption at the committee meeting.

Attendance

All members of this committee are expected to actively participate. Regular attendance for meetings as well as involvement in special activities is important to satisfy the many responsibilities of this committee.

Due to the nature of the committee work, member consistency is critical. If members are unable to attend, proxy will not be recognized. Committee members may invite additional attendees to participate as appropriate.

Work groups and ad hoc teams

From time to time the committee may need to involve additional expert resources beyond the committee membership. The co-chairs may designate ad hoc teams to conduct specific work and report back to the committee. Ad hoc teams may include non-committee members that are subject matter experts. One committee co-chair will be selected to provide leadership and direction to the ad hoc team(s) while performing assignment(s).

The most effective security organizations are those with clear responsibilities and well-defined processes. Ideally, the following primary organizational roles or groups must be created:

  1. Leadership – this is the role of the chief information security officer who deals with both the day to day management of the security team as well as continuous communication of the importance and value of security measures
  2. Analysis/design – these security analysts help information owners develop meaningful security policy as well as effective security solutions
  3. Security administration – these people look after the day to day administration of access rights, passwords, etc.
  4. Security operations – resources that continuously monitor the security status of the organization, and manage incident response procedures.
  5. Awareness communication – resources that design and manage ongoing security awareness and training programs.
  6. Executive custody and governance -represented by an information security committee

In any use of ad hoc teams, the responsibility for all final recommendations rests solely with the membership of the committee as defined above.

Communication

Meeting notes and action items will be documented at each committee meeting. Following each meeting, the administrative support staff will distribute the documents to the co-chairs for review. The resulting document, and other materials, will be distributed to the committee members prior to the next meeting. During the next meeting, the documents will be approved. Once approved, the documents will be posted to the committee website.

The committee charter, meeting schedules, membership roster, and other documents will also be posted to the committee website in future.

About the author: Rajshekhar Murthy, an ex-employee of Microsoft, is a CISSP with over a decade of experience in Information systems and compliance.

0 Comments - Leave a comment!

Sorry, comments are closed for this post.