A PICTURESQUE TABLE SETTING may gleam a mix of polished silver and crystal, but it's nowhere near perfect without the right guest list. People make a party, and this particular table is adorned with ornate place cards pointing your invitees to their spots: internal audit to the right, HR and finance across the table, IT to the left. No, this isn't your boss' board meeting; it's the regular gathering of the information security steering committee, and it's the CISO who is writing out the invitations and setting the table.
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
Information security steering committees aren't a new concept,
but they are popping up in more corporate
settings and allowing security management to better
facilitate the integration of security into business
processes. If you're a CISO with internal, industry
or federal compliance mandates, it's becoming
increasingly difficult to do business without establishing
such a body.
But be forewarned: these aren't foolproof exercises. Before your security steering committee has muscle, before it formulates policies, debates liability and risk, and manages compliance obligations, it needs a sense of formality built on a legion of legwork usually done by a security manager eager to set his own table.
SECURITY STEERING COMMITTEE BEST PRACTICES
It may be sacrilege to hold an administrative meeting
in the city of Seattle without serving coffee, but
University of Washington CISO Kirk Bailey cannot
afford caffeinated distractions when it comes to the
institution's Privacy Assurance and Systems Security
Council. The PASS Council is the epitome of a successful
and influential security steering committee
within an enterprise, one with a long reach into
important decision-making entities.
Besides, if someone really wants coffee, there's a Starbucks on every corner. The PASS Council is a chartered organization at UW, and has administrative authority, oversees system security and privacy assurance and is responsible for the university's risk and compliance strategy for system security and privacy.
It meets monthly, and is likely Bailey's most indispensible tool when it comes to risk mitigation, policy development and the execution of compliance-related activities.Among the 16 regular invitees (14 voting and two advisory) are what would be considered business-unit leaders in an education setting: an assistant VP of human resources; executive director of risk management; lab director, computer science and engineering; HIPAA compliance officer; associate vice provost of enterprise information services; a facility security officer; executive director of internal audit; the campus police chief; and an assistant Attorney General, UW Division of the AG's office.
"It's just been a wonderful benefit to have that regularly scheduled, officially chartered body to throw ideas and issues around," Bailey says. "It's just been a delightful forum, an enormous benefit. And not just that it is supporting an institutional security and riskcontrol program; it's a powerful and persuasive group for you to act as a CISO with."
By gathering these important institutional people, Bailey, who chairs the PASS Council, has a one-stop forum to air out legal, compliance or privacy issues as they pertain to the security of systems. Risks associated with new initiatives are identified and hashed out in committee meetings, and budget arguments are formulated all with the goal of developing a strategic plan for information security at UW. Overall, the visibility of security is elevated to unprecedented heights.
This was first published in January 2009