Using an information security council

One way to address this issue is by utilizing an information security council. An information security council is a cross-functional group capable of bringing together a broad range of perspectives within a senior oversight body. Structured correctly, a council can be an extremely efficient way of managing the information security program and, more importantly, reinforcing that information security is a business issue, not an IT issue.

The council would be responsible for evaluating issues and authoring policy, even making recommendations on procedures. By incorporating broad input from the various control and operational areas, policies will carry more weight, not only because they have already been fully vetted with senior managers, but because the council members will support them within their own functional areas as well.

The council should also oversee the annual information security risk assessment, staff training and the report to the board of directors on the state of the information security program.

There are a number of design attributes that are critical for an information security council to be successful. The council must:

• Include senior level participation. Unless members are senior enough to be able to make decisions and influence others within the organization the council may risk becoming a paper tiger. Having senior managers, with operating authority, allows the council to not only make strategic decisions, but see that those decisions are supported within the organization.
  
  
• Have the authority to set policy. The council must have the ability to develop and publish policies, starting with the information security policy itself, as well as operating policies, (e.g., those governing email usage, USB devices, instant messaging, etc.) Typically a policy that affects the entire organization would come from the council whereas more granular policies, such as the frequency of router password changes, would remain within their functional areas.
  
  
• Be cross-disciplinary. The value of the council is in bringing different perspectives to emerging issues and in drafting policy. Therefore, the council should ideally have representatives from not just IT, but legal, compliance, human resources, internal audit, risk management, operations and information security. The membership should represent only those areas that have definitive input into policy creation. Other areas such as marketing, analytics, eCommerce, ...
  
  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchFinancialSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchFinancialSecurity.com

  As an existing member of the TechTarget network please activate your SearchFinancialSecurity.com account 

  By joining SearchFinancialSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  Digg This!     StumbleUpon     Del.icio.us

  
  
  

  << PREVIOUS | NEXT >>: Examining the FFIEC Business Continuity Planning...

  VIEW ALL IN THIS CATEGORY

  
  

  RELATED CONTENT Compliance and Governance Digest Seven GRC best practices for information security Shifting to a flexible information security framework Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Data breach protection: Implementing vendor breach safeguards How to manage security risks in vendor contracts Red Flags Rule and preparing for new regulations Companies lagging in PA DSS compliance Social media: Risk management strategies for financial institutions FFIEC guidance on RDC: Guidance overview Risk management frameworks, metrics and strategy Vendor risk management: process and documentation How to manage security risks in vendor contracts Controls monitoring helps with governance, risk and compliance An advancement in GRC Advocacy group looks to foster trust in foreign service providers Information security governance using a risk-based approach Security on the street with SearchFinancialSecurity.com: Risk management Strategic metrics for information security at financial services firms Metrics don't truly quantify information risk Financial Information Security Decisions 2008: Presentation downloads Compliance best practices Regulators issue standardized privacy notice form for GLBA compliance Seven GRC best practices for information security Keeping up with state data protection laws Five mistakes banks make in pandemic planning Get ready for remote deposit capture risk management scrutiny Google ordered to deactivate Gmail account after bank email error Vendor risk management: process and documentation How to manage security risks in vendor contracts How to streamline role-based access control Five considerations for choosing network access control products

  RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Red Flags Rule (RFR)  (SearchFinancialSecurity.com)

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

  
  
  credit administration would more likely be invited on a case by case basis to address specific issues but wouldn't normally be part of policy making when it comes to information security.
  
  

• Be highly visible. People need to know who the council members are so that when policies are published those policies don't end up in an endless cycle of "OK, but was this approved by legal? By HR?" Yes, it was.
  
  
• Be safe. One of the tremendous benefits of a governing body of mixed disciplines is as a learning environment. The council format provides an opportunity to break down communication barriers between business units. When discussing issues, regardless of the complexity of the issue from anyone's perspective, it is incumbent on them to explain the issue in ways that all council members can understand. It must be safe to ask any question, no matter how elementary.

The council can even be used for explicit training opportunities, helping members to understand how things like firewalls and intrusion detection systems actually work. When explained in simple language, these technologies can be extremely interesting to senior managers, particularly against the backdrop of the very real threats that they help mitigate.

What participants will find is that, over time, as members learn from each other and work through complex issues taking multiple perspectives into consideration that they become each other's eyes and ears. The representative from legal may spot something that is a technical risk. IT representatives will become more adept at spotting potential compliance issues. HR may proactively identify something that is a process risk. One of the central truths of effective risk management is that the more people know about other operating areas, the better their ability to identify and manage risk. In this way, an information security council can be a powerful tool in information security governance.

About the author:
Eric Holmquist is the vice president and director of operations risk management at Advanta Bank Corp. He has over 25 years experience in the financial services industry and is a frequent industry author and speaker. He is responsible for the development and oversight of the bank's operational risk management program. In addition, Holmquist chairs the operational risk management for IT committee through the Risk Management Association. He is the author of Risk-Sizing ORM – Scaling Operational Risk Management For The Small To Mid-sized Market, is a contributing author to Operational Risk 2.0 (2007) and The Advanced Measurement Approach to Operational Risk (2006).