Information security steering committee best practices


This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."

Download it now to read this article plus other related content.

"We really drive these teams to execute and drive specific requirements across the company,"McKnight says. "We're pretty advanced compared to most corporations." How advanced? The structure is deep and complex, beginning with the Corporate Security Council at the top. Under the council is a core group of standing committees including international security, information security, contingency planning, program security, security technology, government liaisons and personnel security. Under each of those committees are integrated process teams that drive common requirements across the corporation and achieve concurrence from business units on policy and strategy.

"It is a policy-making body for the company," says McKnight, who estimates that 50 percent of its time is devoted to policy creation and maintenance. Further evidence of its importance to the enterprise: Northrop Grumman regularly evaluates the effectiveness and necessity of its internal councils, and the security council is one of 33 such bodies recognized company-wide.

McKnight explains that once the Corporate Security Council has signed off on an initiative, the process moves to the CIO Council for approval from the CIO and eventually business unit leaders.McKnight also relies on what he calls a customer advisory group, a collection of trusted leaders at the VP level who provide a reality check around security priorities.

"That's something I recommend to all my peers; that helps

    Requires Free Membership to View

give you a third-party view on things and another check on what your investments are,"McKnight says.

Having the ear of influential decision makers helps push through initiatives that have traversed this chain of influencers with minimal resistance. "If we get to the point that we're presenting something at the sector level, they will ask if it has been reviewed and approved by the security or CIO councils," McKnight says. "Because they're the stakeholders for the company and they're communicating to lines of business, they're helping drive something that may be an enterprise effort." The Corporate Security Council isn't all about policy setting, but engagement on procurement as well.

"As a collective body, we're spending a significant amount of corporate dollars on security as a whole; a lot of time is spent with key suppliers trying to control, or drive down, costs or improve performance," McKnight says.

An important deliverable coming out of the council in the next 18 months is a smart card deployment that will provide common access to buildings and stronger logical access to systems. The coordination between industrial and information security on such a project is immense, from technology procurement all the way down to badge design.

"I can't imagine, without a body like this, that we would be finally at a point where we're all in agreement and pushing forward on a very large corporate-wide program to roll out this capability that will help us tremendously,"McKnight says.

"It's a good place to be."

Not all security steering committees are chartered. American Electric Power of Columbus, Ohio, has an Executive Security Committee that is made up of senior executives from HR, legal and IT, as well as operations and government affairs; reliability officers; and those responsible for federal regulatory compliance and compliance with rigid industry standards set forth by NERC (North American Electric Reliability Corp.).

While the committee has a standing set of members and a regularly scheduled monthly meeting, it is an ad hoc organization, says Jerry Freese, director of enterprise information security and IT engineering security. Freese says the membership can change depending on the issues at hand and who is impacted in the organization.

This was first published in January 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: