IT Steering Committee Policy
|Version: 1.00||Issue Date: 3/3/2015|
This IT Steering Committee Policy ensures that new security threats and new technologies are properly addressed by the organization.
This IT Steering Committee Policy will help ensure new technologies are used to the best advantage for the organization. It will also ensure that new computer security threats are properly recognized and addressed to keep the organization secure.
This IT Steering Committee Policy defines tasks required for reviewing new technologies and new security threats. This IT Steering Committee Policy defines responsibilities associated with those tasks.
This IT Steering Committee Policy applies to new technologies and new computer security threats. It is the responsibility of the IT Steering Committee to determine how new technologies will be used in the organization and provide guidance to the organization in dealing with new computer security threats. This policy is effective as of the issue date and does not expire unless superceded by another policy.
4.0 IT Steering Committee
The IT Steering Committee shall be made up of executives from each main section of the organization. The executive may delegate a representative to represent them on the IT Steering Committee but decisisions made by the representative are binding. The IT Steering committes shall:
Create or designate a team to create a technological security plan for the organization.
Ensure that independant third party advice is obtained before the plan is finalized.
Approve the organizational security plan.
Ensure that the organizational security plan is properly communicated.
Ensure that the organizational security plan is reviewed and modified at least every two years.
The committee must ensure that the skills required for properly assessing new computer security threats and new technologies exist within the organization.
The committee must be sure that security policy, security practices, and security standards are changed in accordance with the security plan as new threats and technologies emerge.
The committee must ensure that security policies, plans, standards, procedures, requirements, and objectives are identified, documented, and published so the proper staff members are fully aware of them. Senior management must expect and hold divisions under their control accountable for implementing the security plan within expected schedules.
Senior management shall use the organizational security plan, refer to it, and encourage others to do so. Senior management must create a framework and processes to be sure the security plan in implemented.
5.0 Organizational Security Plan
The security plan and strategy must be based on a formal risk analysis that covers all the components of risk including vulnerabilities, threats, controls, safeguards, likelihood of threat materialization, and damage.
The organizational security plan shall include the following information as a minimum:
Information about new computer security threats and measures to use to mitigate them including but not limited to changes to system configurations, additions of new systems or technologies, and training.
The security plan must be in line and support the strategic business plan.
It shall specify methods used to achieve a set level of security and shall set benchmarks to measure progress by. It may specify some maximum number of virus incidents per month.
Security progress shall be measured against benchmarked industry scores. The plan must provide for and require this.
The security plan shall include details for implementing the security strategy. The plan shall be documented so areas of improvement and actions required are easily identified, such as anti-virus training. The plans shall include how the improvements to current processes shall be implemented.
The security plans, policies, procedures, standards, requirements, and objectives must be in compliance with laws, licenses, and contractual agreements.
Information Technology resources and divisions may be re-aligned or re-structured due to changes in the organizational security plan.
Since having a proper organizational technology and security plan is important for the security and welfare of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
Approved by:__________________________ Signature:_____________________ Date:_______________