IT planning, strategy, and steering committees

Status: Live

The organization will ensure that it has established appropriate planning, strategy, and steering committees with representatives from all key stakeholders. [UCF ID 00765]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.10, ¶ .17 § 4.2, ¶ .20 § 3.13, ¶ .20 § 4.2, ¶ .24 § 3.14, ¶ .24 § 4.2, ¶ .29 § 3.13, ¶ .29 § 4.2; FFIEC IT Examination Handbook – Development and Acquisition, Pg 5; FFIEC IT Examination Handbook – Management, Pg 5, Pg 6, Pg 16, Exam Obj 3.1; Protection of Assets Manual, ASIS International, Revised Volume 1 Pg 2-II-21, Revised Volume 1 Pg 2-II-22; FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 3.2; CobiT 4.1, PO4.2, PO4.3; The Standard of Good Practice for Information Security, SM2.1.2 thru SM2.1.4, SM2.2.2, SM2.2.5(d), SM4.2.1, SM4.2.2, SM6.6.2, UE6.1.2; ISO 17799:2005 Code of Practice for Information Security Management, § 6.1.2, § 6.1.3; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.6.1.2; ISO/IEC 27002-2005 Code of practice for information security management, § 6.1.2, § 6.1.3; OGC ITIL: Security Management, § 4.1.1.2; OECD Principles of Corporate Governance, 2004, § VI.E; Financial Reporting Council, Combined Code on Corporate Governance, June 2008, § A.5.2; German Corporate Governance Code ("The Code"), June 6, 2008, ¶ 5.3.1, ¶ 5.3.4; The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003, ¶ III.5.1, ¶ III.5.3; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 6, Pg 8; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 2.7.2, ¶ 2.7.3, ¶ 2.7.7, ¶ 3.1.6; Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004, ¶ III.3.5.2; Archer Control Table, ATCS-005, ATCS-006, ATCS-008, ATCS-015, ATCS-508, ATCS-614, ATCS-622, ATCS-632, ATCS-633, ATCS-652, ATCS-672, ATCS-674, ATCS-675, ATCS-678, ATCS-711, ATCS-722, ATCS-745, ATCS-783, ATCS-784, ATCS-794

Sarbanes Oxley Guidance

The IT steering committee should meet monthly and should review any anticipated, planned, or recommended changes to the security policy, system availability policy, system processing integrity policy, and system confidentiality policy. Monthly staff meetings should be conducted to discuss system security concerns and trends, system performance, and system processing, availability, and capacity. Test findings should be discussed at the quarterly management meetings. [¶ .17 § 3.10, ¶ .17 § 4.2, ¶ .20 § 3.13, ¶ .20 § 4.2, ¶ .24 § 3.14, ¶ .24 § 4.2, ¶ .29 § 3.13, ¶ .29 § 4.2, AICPA Suitable Trust Services Principles and Criteria]

A Senior Assessment Team should be developed by the organization and should be led by the Chief Financial Officer. This team should be composed of senior executives from the departments affected by the assessment. The Chief Information Officer should actively participate as a member of the team. [Pg 6, Pg 8, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The technology steering committee should be responsible for developing project deliverables and coordinating activities between the departments. The membership of the committee should be composed of the project manager, a board member, and executives from each department. [Pg 5, FFIEC IT Examination Handbook – Development and Acquisition]

The Board of Directors should assign an IT steering committee to oversee the monitoring of IT activities. The steering committee should be composed of representatives from senior management, the IT department, and end-user departments. Each member should have the authority to make decisions for his/her department. The steering committee should maintain the minutes of its meetings in order to document its decisions and to inform the Board of Directors on the actions it has taken. The Board of Directors, senior management, and users should be involved in the planning process. The Board of Directors should be responsible for reviewing and approving all plans. Each department should implement the applicable portion of the plans. [Pg 5, Pg 6, Pg 16, Exam Obj 3.1, FFIEC IT Examination Handbook – Management]

US Federal Security Guidance

If the organization does not maintain an incident reporting database, it may form an asset protection committee. This committee should be made up of personnel from each of the organization's departments. They should determine what incidents should be reported, determine what assets are vulnerable, assess the vulnerability of each identified asset, select countermeasures for each vulnerability, and develop a cost-benefit analysis. [Revised Volume 1 Pg 2-II-21, Revised Volume 1 Pg 2-II-22, Protection of Assets Manual, ASIS International]

[§ 3.2, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

ISO Guidance

An information security coordination group should consist of personnel from different parts of the organization, including managers, users, designers, legal, human resources, auditors, and others. This group should discuss the following: Handling noncompliance; assessing security controls; promoting security education and training; identifying threat changes; ensuring activities are in accordance with the security policy; and recommending actions based on security incident reports. [§ 6.1.2, § 6.1.3, ISO 17799:2005 Code of Practice for Information Security Management]

Representatives from all areas of the organization should be used to coordinate information security activities. [Annex A.6.1.2, ISO 27001:2005, Information Security Management Systems - Requirements]

An information security coordination group should consist of personnel from different parts of the organization, including managers, users, designers, legal, human resources, auditors, and others. This group should discuss the following: Handling noncompliance; assessing security controls; promoting security education and training; identifying threat changes; ensuring activities are in accordance with the security policy; and recommending actions based on security incident reports. [§ 6.1.2, § 6.1.3, ISO/IEC 27002-2005 Code of practice for information security management]

ITIL Guidance

[§ 4.1.1.2, OGC ITIL: Security Management]

General Guidance

The organization should establish an IT strategy committee at the board level. This committee ensures that IT governance, as part of corporate governance, is adequately addressed, advises on strategic direction and reviews major investments on behalf of the full board.
The organization should establish an IT steering committee (or equivalent) composed of executive, business and IT management to:
• Determine prioritization of IT-enabled investment programs in line with the enterprise’s business strategy and priorities
• Track status of projects and resolve resource conflict
• Monitor service levels and service improvements [PO4.2, PO4.3, CobiT 4.1]

A high-level working group or committee should be formed to control all aspects of the organization's information security procedures. This group should meet on a regular basis and should be made up of a top-level executive, the Chief Information Security Officer, the head of IT, security-related department representatives (e.g., audit, legal, physical security), and application owners. The working group should approve all information security policies and procedures, ensure information security is included in the organization's planning process, ensure information security is emphasized to all employees, monitor the information security standing of the organization, and monitor exposure to information security threats. The information security function should develop security policies, define security objectives, coordinate security across the organization, provide training and information to the staff about information security, and monitor the effectiveness of the information security program. The information security function should be reviewed on a regular basis to ensure it is performing as expected. A high-level committee should exist for managing information privacy issues and should be aware of how and when privacy information is used and where it is stored. A high-level committee should exist for the coordination of e-commerce initiatives and should include representatives from organizational areas that use e-commerce. [SM2.1.2 thru SM2.1.4, SM2.2.2, SM2.2.5(d), SM4.2.1, SM4.2.2, SM6.6.2, UE6.1.2, The Standard of Good Practice for Information Security]

EU Guidance

When the Board forms a committee, the Board should ensure the composition and work procedures are well defined and disseminated to the committee members. [§ VI.E, OECD Principles of Corporate Governance, 2004]

UK and Canadian Guidance

The Board should ensure all committees have the necessary resources to carry out their duties. [§ A.5.2, Financial Reporting Council, Combined Code on Corporate Governance, June 2008]

Other European and African Guidance

The Supervisory Board must form committees with specialized experience to help with handling complex issues and to improve the efficiency of the Board. The chairperson of each committee must report to the Supervisory Board on their work on a regular basis. The Supervisory Board can delegate responsibilities to one or more committees. [¶ 5.3.1, ¶ 5.3.4, German Corporate Governance Code ("The Code"), June 6, 2008]

The Supervisory Board must develop the roles and responsibilities of each committee and determine the number of members and how they perform their duties. All members, with the exception of at most 1 member, must be independent. Each committee must make reports of their discussions and findings to the Supervisory Board. [¶ III.5.1, ¶ III.5.3, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003]

Board committees should have a written scope of authority and reporting procedures. Formal procedures should be developed to describe the functions of the Board that are being delegated and the duties and responsibilities of the committees. Board committees should be chaired by independent, non-executive directors, if possible. A committee should be appointed by the Board to help review risks affecting the organization and the organization's risk management process. [¶ 2.7.2, ¶ 2.7.3, ¶ 2.7.7, ¶ 3.1.6, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

The Board of Directors may set up special committees to aid the Board in specific areas. The formal work plan must specify what decision-making authority and tasks the committee has been delegated. [¶ III.3.5.2, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.