This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
A PICTURESQUE TABLE SETTING may gleam a mix of polished silver and crystal, but it's nowhere near perfect without the right guest list. People make a party, and this particular table is adorned with ornate place cards pointing your invitees to their spots: internal audit to the right, HR and finance across the table, IT to the left. No, this isn't your boss' board meeting; it's the regular gathering of the information security steering committee, and it's the CISO who is writing out the invitations and setting the table.
But be forewarned: these aren't foolproof exercises. Before your security steering committee has muscle, before it formulates policies, debates liability and risk, and manages compliance obligations, it needs a sense of formality built on a legion of legwork usually done by a security manager eager to set his own table.
SECURITY STEERING COMMITTEE BEST PRACTICES
It may be sacrilege to hold an administrative meeting in the city of Seattle without serving coffee, but University of Washington CISO Kirk Bailey cannot afford caffeinated distractions when it comes to the institution's Privacy Assurance and Systems Security Council. The PASS Council is the epitome of a successful and influential security steering committee within an enterprise, one with a long reach into important decision-making entities.
Besides, if someone really wants coffee, there's a Starbucks on every corner. The PASS Council is a chartered organization at UW, and has administrative authority, oversees system security and privacy assurance and is responsible for the university's risk and compliance strategy for system security and privacy.
It meets monthly, and is likely Bailey's most indispensible tool when it comes to risk mitigation, policy development and the execution of compliance-related activities.Among the 16 regular invitees (14 voting and two advisory) are what would be considered business-unit leaders in an education setting: an assistant VP of human resources; executive director of risk management; lab director, computer science and engineering; HIPAA compliance officer; associate vice provost of enterprise information services; a facility security officer; executive director of internal audit; the campus police chief; and an assistant Attorney General, UW Division of the AG's office.
"It's just been a wonderful benefit to have that regularly scheduled, officially chartered body to throw ideas and issues around," Bailey says. "It's just been a delightful forum, an enormous benefit. And not just that it is supporting an institutional security and riskcontrol program; it's a powerful and persuasive group for you to act as a CISO with."
By gathering these important institutional people, Bailey, who chairs the PASS Council, has a one-stop forum to air out legal, compliance or privacy issues as they pertain to the security of systems. Risks associated with new initiatives are identified and hashed out in committee meetings, and budget arguments are formulated all with the goal of developing a strategic plan for information security at UW. Overall, the visibility of security is elevated to unprecedented heights.
This was first published in January 2009