This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
"Don't let it be a status or operational meeting.Make it strategic where senior-level people are able to make decisions based on information being shared with them," says Forrester Research principal analyst Khalid Kark. "What often can happen is that senior executives come in to the first few meetings and talk about security. But over the course of a few months, things die down, and they start sending representatives, and then their representatives send their representatives, and the effort is not at the level where it initially started. It ends up being a logistical or operational type of effort where you're either going through status or going through information that does not mean anything to anyone attending-it's either too high level or low level."
The PASS Council's natural intersection of business and security officials facilitates the development and processing of security or privacy policies. Decision makers can expedite funding or approval of policy changes or spending on new security projects knowing that the PASS Council and its wide-ranging representation has already endorsed the initiative.
University of Washington Privacy
Assurance and Systems Security
CHAIRED BY Kirk Bailey
MEETS every fourth Monday of the month
CHARTERED by the university
2 ADVISORY non-voting positions
MEMBERS include campus police chief; vice presidents or directors of UW Medicine, Health Sciences, Computer Science and Engineering, Research Information Services and Risk Management (Underwriting); CIO; HIPAA compliance officer; executive director of internal audit and others.
DELIVERABLES include information systems and data security strategic plan; privacy policies, standards, guidelines, risk assessment and risk management program; incident response program; support services for UW compliance requirements.
"This is a group of risk managers an institution would bring together to deal with a response anyway. Having them in place to do preventive discussions and formulate policy to mitigate the liability sets and understand compliance obligations is just powerful," Bailey says. "If an institution doesn't have one, it's missing an opportunity or you've overlooked a compliance requirement. If you're a security professional operating without such an entity, you're giving yourself a ton of work because you have to run around and talk to these people anyway."
Information security steering committees don't have to be strictly advisory. A powerful committee can also assist with incident response, and help minimize reputational risks and costs in the event of a breach. The UW PASS Council, for example, gave Bailey intervention authority to mitigate incidents with the blessing of the institution's risk managers, including the executive director sitting on the PASS Council who is the university's underwriter (UW is self-insuring and all risk questions have an immediate business interest, Bailey says).
This was first published in January 2009