One of the first things we do when working with a new client is to establish recurring monthly meetings with a set agenda for every meeting. Having the meeting every month is important because things are moving too quickly in today’s landscape that it is mandatory to get everyone on the same page at a regular frequency. The agenda is important because it establishes a rhythm of discussion and decisions on your most important items.
While a lot of work goes into the details, the structure is pretty simple. It’s something your financial institution could put in place today and start to see immediate improvements in the governance of your IT and information security program.
- Minutes – reviewing the previous month’s minutes helps keep us on track on any open action items and holds everyone accountable.
- Emerging Threats – this is a brief presentation on any new threats that the team should be made aware of or any new regulatory requirements. It’s a learning opportunity that many folks just don’t have the time for in their normal work days.
- Remediation Tracking – this is the list of any open items that need to be resolved. It should include audit findings, exam findings, exceptions, action items from the risk assessment or CAT, and any risk acceptance that is being monitored. This keeps our issues in front of the team on a regular basis.
- KRI Dashboard – in my experience, the most effective dashboards are 1 page, include the most important cyber metrics, show level and trend, and give the team a tool to start open dialogue on areas needing attention. (Let me know if you’d like to see a sample!)
- ISP Tasklist – this is the ongoing tracking of the regular tasks and activities that need to occur in the regular 12-month schedule of a good information security program. We use it to discuss items that we’re behind on, as well as to remind the team of upcoming initiatives.
- Open Discussion – this is the opportunity for the team to voice their concerns or bring up issues they’ve discovered. During this time, I always ask 3 things:
- Are there any new technologies that are being planned? (so we can do a risk assessment)
- Are there any new vendors we’re considering? (so we can perform due diligence)
- Have there been any incidents since the last meeting? (hopefully we already know about them, but you’d be surprised)
Have any questions on any of these? Or want help getting started? Just send us a note at support@bedelsecurity.com and one of our experts will reach out to see how we can be of assistance.
Additional Resources:
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
Your Information Security Program Needs Focus
https://www.bedelsecurity.com/blog/your-information-security-program-needs-focus
Two Essential Ingredients to Improve Your Information Security Program
https://www.bedelsecurity.com/blog/two-essential-ingredients-to-improve-your-information-security-program
The Gist of Governance
https://www.bedelsecurity.com/blog/the-gist-of-governance