Using an information security council

One way to address this issue is by utilizing an information security council. An information security council is a cross-functional group capable of bringing together a broad range of perspectives within a senior oversight body. Structured correctly, a council can be an extremely efficient way of managing the information security program and, more importantly, reinforcing that information security is a business issue, not an IT issue.

The council would be responsible for evaluating issues and authoring policy, even making recommendations on procedures. By incorporating broad input from the various control and operational areas, policies will carry more weight, not only because they have already been fully vetted with senior managers, but because the council members will support them within their own functional areas as well.

The council should also oversee the annual information security risk assessment, staff training and the report to the board of directors on the state of the information security program.

There are a number of design attributes that are critical for an information security council to be successful. The council must:

The council can even be used for explicit training oppo

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Red Flags Rule compliance How AML compliance applies to remote deposit capture Tokenization and PCI compliance Data governance and classification The PCI compliance case for source code review Identity management for financial firms in turbulent times PCI DSS: Best practices for compliance Red Flag Rules compliance demands a risk-based approach Understanding the impact of new state data protection laws Understanding the FFIEC remote deposit capture guidance Risk management frameworks, metrics and strategy Controls monitoring helps with governance, risk and compliance An advancement in GRC Advocacy group looks to foster trust in foreign service providers Information security governance using a risk-based approach Security on the street with SearchFinancialSecurity.com: Risk management Strategic metrics for information security at financial services firms Metrics don't truly quantify information risk Rethinking risk management for financial services firms Outlining governance frameworks How to make management accountable for risk Financial services compliance best practices Red Flags Rule compliance Why financials should pay attention to NERC CIP The truth about vendor management Using virtualization for compliance efforts FFIEC releases risk management guidance for remote deposit capture Information security governance using a risk-based approach How I learned to stop worrying and love my compliance department Integrating ethics from top to bottom Partner data privacy: Issuing stricter guidelines How to implement the NIST role based access control model

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary corporate governance  (SearchFinancialSecurity.com) subpoena  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

rtunities, helping members to understand how things like firewalls and intrusion detection systems actually work. When explained in simple language, these technologies can be extremely interesting to senior managers, particularly against the backdrop of the very real threats that they help mitigate.

What participants will find is that, over time, as members learn from each other and work through complex issues taking multiple perspectives into consideration that they become each other's eyes and ears. The representative from legal may spot something that is a technical risk. IT representatives will become more adept at spotting potential compliance issues. HR may proactively identify something that is a process risk. One of the central truths of effective risk management is that the more people know about other operating areas, the better their ability to identify and manage risk. In this way, an information security council can be a powerful tool in information security governance.

About the author:
Eric Holmquist is the vice president and director of operations risk management at Advanta Bank Corp. He has over 25 years experience in the financial services industry and is a frequent industry author and speaker. He is responsible for the development and oversight of the bank's operational risk management program. In addition, Holmquist chairs the operational risk management for IT committee through the Risk Management Association. He is the author of Risk-Sizing ORM – Scaling Operational Risk Management For The Small To Mid-sized Market, is a contributing author to Operational Risk 2.0 (2007) and The Advanced Measurement Approach to Operational Risk (2006).