A solid cybersecurity program starts with good governance practices. These practices ensure that IT, security staff, and management are all rowing proactively in the same direction. They help management to be aware of what the current cybersecurity challenges are, and also that staff understand the priorities of management.
In addition, good governance practices are also vital to ensuring that the myriad regulatory expectations are met in a managed way instead of treated as a crisis. This week, we will look at what cybersecurity governance should include at a financial institution.
- Discussion: Cybersecurity governance needs to include a conduit for constant discussion of threats, risks, and controls. This is normally accomplished by forming a committee that is responsible for meeting and discussing cybersecurity matters on a regular basis. Whether it is a dedicated Information Security Committee or a part of an IT Steering Committee, this committee should be empowered to make key decisions based on threats and risks that are discussed at the meeting. The committee should keep minutes to demonstrate to regulators that cybersecurity topics are regularly discussed and acted upon. The committee should include key members of senior management, the audit team, risk management, information technology, and information security.
- Calendar: We find that there are around 60 regularly recurring tasks inherent in maintaining a solid Information Security Program. Keeping a calendar of required security program actions is vital to ensure that the institution does not miss a critical deadline. Some examples of tasks to include are reporting of key monthly metrics, updating business continuity procedures quarterly, performing an annual Cybersecurity Assessment Tool (CAT) analysis, or having a penetration test performed annually. The calendar should become a standard part of the security committee agenda. (If you don't have your own you can download our ISP Tasklist here to get started!)
- Findings: Most institutions have a set of security-related audit or exam findings. To ensure that these receive the focus they need, the findings should be reviewed and discussed at each security committee meeting to minimize the risk of a repeat finding during the next audit cycle. These discussions should be included in the meeting minutes to demonstrate that the committee continues to manage remediation of these findings.
- Strategy: A healthy security committee will have a clear understanding of the current cybersecurity landscape of the institution, which translates into an ability to create a solid cybersecurity strategic plan for the future. While creation of a strategic plan is normally an annual event, reviewing the strategic plan as part of each committee meeting helps to strengthen the plan and to keep the committee focused.
If you're anything like us, you like to play to your strengths. If governance isn't your strong suit, don't worry, it's definitely ours. We can help you keep your Information Security Committee moving forward in one cohesive direction and allow you to handle the things you're exceptional at. If you're ready use the button below to start the conversation or check out our deliverables and pricing for our Governance module.
