In this article we are going to explain which is the purpose, activities, and configuration of an IT Security Committee.
This committee provide a forum to communicate, discuss and debate on Security Requirements. Its members represent a cross-section of business lines or departments, including compliance, audit, HR, Risk, etc. In addition to providing advice and counsel, their mission is to share the security requirements to their colleagues and business partners.
Objectives of the IT Security Committee
The main objectives of the Security Committee are:
- Advice regarding the implementation, support, and management of the Information Security Policy.
- Provide a forum to discuss business initiatives and security requirements.
- Monitor security initiatives related to IT area.
- Monitor the issues derived from external security audit.
As it was described, the IT Security Committee is not only a meeting, it is a structure of government which allows to have aa forum, in which the different members can meet. This meeting should be periodically (monthly, quarterly, ….), but it is not recommended to be very far.
Attendees of the IT Security Committee
In relation to the configuration of the committee, the profiles involved must be:
- Owner of the committee (Chairperson).
- Members of the different areas: cross-section of business lines or departments, including operations, risk, compliance, marketing, audit, sales, HR, legal….
- Facilitator. The one who is in charge of the communication memorandum, track maintenance, etc.
Development of the IT Security Committee
The main activities of this committee are:
1- Preparation and agenda closure:
Some days before the meeting, review and share the main points and proposals with each responsible. Once all points and new proposals are confirmed, it is ready the agenda of the meeting. This part is important because all the members who will attend to the meeting are informed about the point to talk about, and to prepare the related information, in case it is needed.
Then, during the meeting, all the proposals that were included in the agenda are reviewed together with the related responsible, and all members can give their opinion, suggestion, or support. All the identified issues must be linked to an improvement proposal, depending on the department. Not all improvement proposals must have one linked issue, therefore, improvements can be proposed without having detected an issue. For example, if there is issue, must be a solution, however, could be a risk or am update of an application, which it is not necessary to have a risk associated with.
2- Track maintenance:
Is it recommended to have a track with all issues and proposals, in which is mandatory to indicate the status (new, in progress, on hold or completed), the priority (critical, high, medium or low, it is also possible to use a range of numbers), who reported the issue, who is managing it or the actions done about it. With this track, anyone can see the status and all proposal/issues available.
3- Meeting ended and send results(memorandum):
Once the meeting is completed, it must send a final document with all proposal commented, the updated on it, and the actions approved. With this document, all members can have in a summary, the details of the meeting, and the actions that must be taken.
Conclusions
To sum up, have a security committee:
1- Increase the control and organization of the strategy around the company’s security.
2- Provides visibility between departments by enabling a forum to discuss problems and improvements related to security points that affect different departments.
3- The configuration of the safety committee gives clarity on what the governing body is like, its structure, operation, frequency, etc.