Six key practices for a successful interdepartmental security committee

I know, I know – the thought of forming yet another committee and setting up yet another meeting on your crowded calendar is enough to make you roll your eyes. However, when properly organized and run, an interdepartmental security committee (ISC) can provide the infosec professional with valuable information, assistance when a crisis hits, and maybe most importantly, a closer relationship with business units. In many cases, the impetus for starting an ISC is the writing of policies to govern information security in an organization.

Here are some best practices to help you form and make the most of an interdepartmental security committee (ISC) in your organization:

1. Have your information security policies in order. A clearly defined set of policies that top management understands and supports will serve as the constitution of your ISC. Whether your ISC is tasked with approving projects or simply with raising awareness of security issues, it will be very difficult to make rational and consistent decisions without written policies to fall back on. In many cases, the event leading to the formation of the ISC is the need to draft policies. This can be a good thing; a committee that drafts the policies that will govern its operation will be intimately familiar with the policies. Writing policies may also serve as a trial-by-fire for your ISC – if the group can survive this exercise, other tasks will seem easy!

2. Have a mission. There are few things worse than a committee without a clearly defined purpose. ISCs are typically tasked with one or both of the following charters:

   a.) Regulation- and review-oriented ISCs are tasked with examining projects and initiatives, and determining whether they are being designed and implemented in accordance with the organization's security policies. If your ISC is tasked with regulation and review, make sure everyone knows the rules of engagement up front. What are the criteria that determine whether a project needs ISC review and approval? Is the decision of the ISC binding? If so, how can an ISC decision be appealed?

   b.) Awareness and communications ISCs are concerned with getting security information out to the organization. When setting up an ISC to handle awareness and communications, you'll need to think about two types of information dissemination – normal awareness materials and urgent notifications. When an emergency like a virus infection or system compromise hits, the ISC members' familiarity with your corporate information security personnel, procedures and policies can make them into valuable "boots on the ground" at the business-unit level.

3. Put it in writing. The ISC should have a mission statement describing in one brief paragraph what it does at a high level. The rules of engagement and procedures for the ISC should be written down and accessible to the organization, perhaps on the company intranet.

4. Get buy-in from senior management. Whenever an initiative has the words "information security" in it, getting senior management backing is a key to success. Add the word "interdepartmental" and top level support becomes even more vital. You need to explain the ISC to top management, make them understand the benefits it will bring to the table and get their blessing (preferably in writing).

5. Find the right members. Getting the right people to participate in the ISC is another key to success. While it would be nice for the members to come to the table with some interest in or knowledge of information security, there are other qualities that are even more important:

   a.) ISC members should have an understanding of the business goals of their department and the company.

   b.) They should be "connectors" – the type of people who know everyone in their department and who are willing to not only share information, but to make the effort to find the right audience for the information security messages developed by the ISC.

   c.) ISC members need to have some "skin in the game." Participation in the ISC should be recognized by their management as part of their job function and should have some bearing on their job evaluation. For this to happen, managers need to understand what the ISC does and why it is important to their department.

6. Don't waste members' time. While information security is number one on your list of things to do, it is probably not high on the list of your ISC members' daily tasks. Make sure that every ISC meeting you ask a member to attend has a clear purpose and agenda, and that members feel like they have accomplished something of value when they go back to their primary jobs. These accomplishments can take many forms – reviewing the security of a new project, getting information on a new threat or policy to take back to their department, or the presentation of some new way to make it easier or less expensive for departments to comply with policies.

Properly focused on the security needs of the business, an interdepartmental security committee can extend the reach of your corporate infosec department into the business units and build an organization-wide awareness of security as a business enabler rather than as a barrier to growth.

About the author
Al Berg, CISSP, is a technical director in the Corporate Information Security Department of a firm providing computer services to the financial services industry. Al has been in the information security industry for more than 10 years and has provided consulting services to major corporations and the U.S. Defense Department. Al has spoken at numerous industry conferences in the U.S. and Europe, and has published many articles on networking and security topics, including some in our sister publication Information Security magazine.