Recommendations for creating a security steering committee
I'm the Enterprise Security Manager for my company. I'm interested in spearheading a "Information Security Steering Committee" effort. I envinsion the group being executive level, comprised of both IT and business line management. I'm looking for some guidance (or better yet examples) of "charter" documents for this type of organization. Any suggestions? Thanks!
I don't have any examples of charter documents, but I can give you a
few recommendatations. First, make sure top management supports this
steering committee in wriitng in the charter. They need to sign the
committee's charter document. They may choose to be a part of the
group, but they don't have to as long as they show they support the
group and the work it does. You are on the right track including both IT
and business line management. You may want to include representatives
from the user community or at least have a sub-committee of users that
you can discuss potential policies and technologies with. End users are
not very happy to see a bunch of changes that impact their day-to-day
lives come out of a management committee where they have no input.
Finally, I would recommend keeping everyone educated and up-to-date on
items the committee is discussing. Security is often a very hush-hush or
secret topic that scares end users. Talk about security openly and get
your users involved.
For more information on this topic, visit these other SearchSecurity resources:
Best Web Links: Security management
This was first published in July 2002