|
"Don't let it be a status or operational
meeting.Make it strategic where
senior-level people are able to make
decisions based on information being
shared with them," says Forrester
Research principal analyst Khalid
Kark. "What often can happen is that
senior executives come in to the first
few meetings and talk about security. But over the
course of a few months, things die down, and they
start sending representatives, and then their representatives
send their representatives, and the effort
is not at the level where it initially started. It ends
up being a logistical or operational type of effort
where you're either going through status or going
through information that does not mean anything
to anyone attending-it's either too high level or
low level."
The PASS Council's natural intersection of business
and security officials facilitates the development
and processing of security or privacy policies.
Decision makers can expedite funding or approval
of policy changes or spending on new security
projects knowing that the PASS Council and its
wide-ranging representation has already endorsed
the initiative.
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] By Committee
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
University of Washington Privacy
Assurance and Systems Security
(PASS) Council
CHAIRED BY Kirk Bailey
MEETS every fourth Monday of the month
CHARTERED by the university
2 ADVISORY non-voting positions
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
>
MEMBERS include campus police chief;
vice presidents or directors of UW Medicine, Health Sciences,
Computer Science and Engineering, Research Information Services
and Risk Management (Underwriting); CIO; HIPAA compliance officer;
executive director of internal audit and others.
DELIVERABLES include information systems and data security strategic
plan; privacy policies, standards, guidelines, risk assessment and risk
management program; incident response program; support services
for UW compliance requirements.
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
"This is a group of risk managers an institution
would bring together to deal with a response anyway.
Having them in place to do preventive discussions
and formulate policy to mitigate the liability sets and
understand compliance obligations is just powerful,"
Bailey says. "If an institution doesn't have one, it's
missing an opportunity or you've overlooked a compliance
requirement. If you're a security professional
operating without such an entity, you're giving yourself
a ton of work because you have to run around
and talk to these people anyway."
Information security steering committees don't have to be
strictly advisory. A powerful committee can also assist
with incident response, and help minimize reputational
risks and costs in the event of a breach. The
UW PASS Council, for example, gave Bailey intervention
authority to mitigate incidents with the blessing
of the institution's risk managers, including the executive
director sitting on the PASS Council who is the
university's underwriter (UW is self-insuring and all
risk questions have an immediate business interest,
Bailey says).
|
 |
|
