Re: Member question re: board presentations on security

[Brad Judy <brad.judy () CU EDU>]

Make sure to ask about the preferred format and length of time for presenting to the board.  Many boards still like 
hard copies of documents and agendas might be very tightly run for time.  For an initial presentation, a very high 
level (just a few minutes) overview of the structure of your information security program is a great place to start.  
The content depends highly on the type of program you have, but simple statements like these are probably good to 
consider:

(who are you, what do you do, where are we now, where are we headed, how will we know when we get there)


·         Very high level review of your team/program’s scope and responsibilities

·         High level overview of process for establishing these policies/procedures/standards

o    Ownership of security policies/procedures/standards resides with group X

o    Input and feedback for these policies/procedures/standards includes representation from these groups…

o    Final approval is given by this group/individual…

o    New items and changes are communicated in this way…

·         We have established policies/processes for these high level areas: acceptable use, incident response, data 
classification, etc. (don’t dig into details even if asked – defer to following up with documents via email)

·         The high level goals for the program over the coming year are…

·         We intend to measure our progress and success through these methods….

·         We would like to return to report on our progress toward these goals in X months…

Keep each top level bullet to 1-2 minutes for a total of less than 10 minutes.

Anticipate as many questions ahead of time as you can so you have quick, succinct answers.  What are the hot topics 
which executives in your organization at the moment?  How do they connect to your program?  Have there been any recent 
major security news items and how would you answer “could this happen to us?” or “does this impact us?”?

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[u-logo_fl]



From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Joanna Grama <jgrama () EDUCAUSE EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Wednesday, December 14, 2016 at 11:31 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Member question re: board presentations on security

Hello,
I received a request from a member today, who wishes to remain anonymous, to ask this group the following question:

What types of information would you provide to your institution’s board in an information security presentation/report? 
 Especially if it were the first-ever information security report to the board?  For context, this was a request to 
present for informational purposes only and not in response to an institutional breach.

For those of you that are veterans of reporting to your institutional boards, what advice do you have to share?

Kind regards,
Joanna


Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | main: 303.449.4430 | jgrama () educause edu<mailto:jgrama () educause edu>