Information security steering committee best practices


This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."

Download it now to read this article plus other related content.

"I get to move in without much argument because they know it's done with the consent of the risk manager, auditor and legal-it's hard for anyone to object to our involvement," Bailey says, adding that any complaints would eventually arrive at the desk of a senior manager who is likely associated with the council. "I know security pros are considered a little autocratic, but truth is, in a preemptive action, this council supports that need."

Bailey approaches incident mitigation and response as a service, arriving not only with his expertise, but with the necessary tools and forms required to fend off disaster and appropriately document it. Departments can use that documentation, for example, to make their case for budget changes to prevent future recurrences.

"If the PASS Council becomes involved, people trust it. If you're a department manager who has had a terrible breach, and you're looking at millions of dollars worth of losses and worried about reputation, if I knock at your door and say I'm here to take over this incident with your help, people are relieved," Bailey says. "(Public relations) is in place; we have legal opinions at the ready, risk underwriting ready to answer questions, all congealed into one quick-acting service. If it's planned well, I can't understand living without it."

Bailey says for a security steering committee to flourish it's important that the membership remain fluid and represent an institution's most important risk

    Requires Free Membership to View

and administrative areas. Ensure that the committee's interactions meet the needs of its member business units because that helps support its acceptance and effectiveness as an institutional body. And, he says, don't be afraid to expand the group's responsibilities as chartered by providing services in areas that might seem out of its scope, especially in terms of IT policy development.

"If you want this to be well established, you have to dedicate time to it as a security professional. You've got to dedicate resources and energy to make this happen and keep it vital," Bailey says. "I invest an enormous amount of time in it to keep it growing and thriving."

Northrop Grumman, similar to UW, has a chartered information security steering committee that's been part of the fabric of the defense contractor's information security program for more than a decade. With a roster of internal heavyweights including information and industrial security, lines of business heads of security, as well as representatives of legal and human resources, Northrop Grumman's Corporate Security Council has authority over everything pertaining to information security from buyer contingency planning to investigative issues, says Timothy McKnight, vice president and CISO.

By Committee
Northrop Grumman Corporate Security Council

CHAIRED BY Timothy McKnight

CHARTERED for more than 10 years

QUARTERLY meetings are face-to-face; monthly meetings are teleconferences

MEMBERS include information and industrial security, HR, legal and business unit heads of security.

OBJECTIVES Policy making and procurement

This was first published in January 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: