Meaningful Governance

Most information security professionals understand the compliance and business requirements of keeping management informed of the Information Security Program, but that is easier said than done. Financial institutions most commonly use monthly or quarterly Information Technology Steering Committee (ITSC) meetings to disseminate information and make decisions.

As a long-time security professional, I’ve seen various formats of these meetings lasting 15 minutes to 2 hours with document packages ranging from 5 – 500 pages. Requirements for each organization are unique and I’m a firm believer that less is more, and oftentimes, more effective. I’d like to discuss a few concepts and ideas to consider as you build out or enhance your Governance program.

First and foremost, start with a Board approved Charter for the ITSC. The Board sets the tone for the entire organization and IT is no exception. The Charter should include Purpose, Roles and Responsibilities, Representation, and Meeting Structure. A well-defined ITSC Charter is the first step in establishing an effective and meaningful IT Governance program.

Meet with a purpose and stay on task. It’s important to be respectful of everyone's time so make sure the agenda and supporting documentation is provided to committee members in advance of the meeting. Contents of the agenda should include but are not limited to, the following items.

• Review Previous Minutes: Minutes from the previous meeting should be shared and approved by the committee to ensure accuracy and completeness.
  
  
• Information Security Program Task List: Create a list of all tasks to be completed on an annual basis and notate the last completed/upcoming due date for each deliverable. Here at Bedel Security, we refer to this as the Information Security Program Task List. We use this to manage workloads over the course of a year and prioritize our “to-do” list. Sharing this list at each ITSC meeting keeps everyone informed of progress and draws attention to anything that is past due.
  
  
• Audit and Exam Tracking: Track and provide updates to any open audit and exam findings. One of the roles of the ITSC is to hold management accountable for remediating open issues in a timely manner.
  
  
• KRI Dashboard: Identify Key Risk Indicators (KRI) within your organization that can be used to identify potential threats. KRIs are most effective if they are charted over time for trend analysis and shared in a way that non-technical users can understand with basic knowledge of the organization.
  
  
• Other New Discussions: Use this as an opportunity to discuss new vendors or services as well as any incidents since the last meeting.
  
  
• Action Items: A member of the ITSC should be charged with taking minutes and is responsible for documenting any takeaways or action items derived from the meeting.

Minutes and supporting documentation of ITSC meetings should be forwarded to the Board to ensure appropriate oversight of the Information Security Program. All members of the Board are responsible for understanding threats, the risk they present, and how they impact the organization. Additionally, the Board should understand the management and mitigation of cyber threats and risks.

If this is a topic you would like to discuss in further detail, please email us at support@bedelsecurity.com to start a conversation.

Additional Resources:

The Gist of Governance
https://www.bedelsecurity.com/blog/the-gist-of-governance

The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper

Your Information Security Program Needs Focus
https://www.bedelsecurity.com/blog/your-information-security-program-needs-focus 

Two Essential Ingredients to Improve Your Information Security Program
https://www.bedelsecurity.com/blog/two-essential-ingredients-to-improve-your-information-security-program 

Focusing on Cybersecurity Governance
https://www.bedelsecurity.com/blog/focusing-on-cybersecurity-governance