Information governance committee

by John Bandler

An information governance committee is a group of individuals designated to help manage information systems in an organization, including with cybersecurity. They give advice and feedback to the chair person of the committee.

Some decisions on IT, providers, platforms and applications can be critical with long term impact across the entire business. Forming a committee of stakeholders can help ensure issues are addressed ahead of time and better business decisions are made.

Every organization can manage themselves however they like (within the bounds of the law), this article merely describes one method which can be effective.

Why designate people to an information governance committee?

To properly manage something, people need to be in charge of it, be consulted, provide feedback.

Those people should be within the organization, even if they also rely upon people outside the organization.

If no one is in charge, if no one is designated to work on it, chances are good nothing will get done, or whatever gets done isn't done efficiently. Especially in an area with the complexities of cybersecurity and information systems.

What decisions could this committee help with?

The committee can help with many types of decisions and actions, including:

  • Creating, updating, approving new policies
  • Evaluating IT vendors and which to pick, when to leave
  • Evaluating incident response vendors
  • Evaluating software options and how to configure it
  • Anything relating to information systems, cybersecurity, and privacy.

Committees do not have to result in bureaucratic paralysis

You can put someone in charge of the committee and who is in charge of making decisions. They can retain that decision making ability. The committee can be there to be consulted and provide feedback.

Usually, CEOs, owners, and executives make better decisions and implement better policies after they have given quality employees an opportunity to research, review, and provide feedback.

What to we call this group of people?

I like the term "information governance committee" because it is broad and descriptive.

  • Information implies all information, including information systems, encompassing cybersecurity and privacy and more
  • Governance means management
  • Committee means a group of people.

There are other possible names too, which might be appropriate depending upon the organization.

  • Adjusting the focus of the group (cybersecurity, privacy, information technology, etc.)
  • Steering committee
  • Management committee.

Why can't we outsource this role?

Organizations rely upon outside vendors and service providers for many things and this can extend to cybersecurity and information governance.

But they cannot outsource all decision making nor the ultimate responsibility for cybersecurity. After all, someone in the organization needs to make decisions about which outside vendors to use and why. Not every outside provider is perfect, and even when they are the organization still needs to make its own decisions.

Whether the organization is seeking or obtaining advice from lawyers, cybersecurity consultants, information technology providers, or cybercrime incident response providers, they want to (1) find competent professionals but also (2) always retain the final decision-making ability.

To properly manage something, someone needs to be in charge of it, and that person needs quality advice and feedback. The person in charge should be inside the organization, and they need quality feedback from other people within the organization.

Who should be on the committee?

As above, the committee should be comprised of people within the organization (not outside vendors, consultants, or attorneys).

Committee work is done best with quality employees who do their jobs well, have an interest in improving the organization, and will not create unnecessary friction.

Who to pick is highly dependent on the organization and the people in it. You may decide not to place a person on the committee, but regularly consult them because they may provide important feedback, or be of a position that requires consultation. Many organizations do not have in-house personnel meeting these roles and that is OK. They can consult externally as needed to advise the committee.

  • Top executive (CEO, Executive Director, etc.)
  • Owner(s)
  • Information security coordinator (or head of information security)
  • Cybersecurity head or professionals
  • IT head or IT professionals
  • Compliance professionals
  • Legal
  • Managers at appropriate levels within appropriate business lines
  • Line workers at appropriate levels (they use the technology every day).

Here is a general way to phrase it:

  • High level managers of the organization
  • The information security coordinator
  • Various stakeholders in various roles who are committed to the organization and protecting and improving it.
  • Traits that are desirable include:
    • Good common sense and an ability to follow facts and logic, assess risks, and make or advise for reasonable decisions.
    • Committed to the organization and protecting and improving it.
    • Can devote a reasonable amount of time to help assess and give solid input or advice.
    • A degree of technical knowledge is desirable, or at least a willingness to learn or listen about it.

How much time should they devote?

The committee needs to devote “reasonable” time to the important management of information assets. That will depend upon each organization, but the amount of time must be greater than zero.

We know that zero is not enough, some might call that negligent. So let's work with something that helps us, defends us, and is defensible.

A part of a whole

Information governance and cybersecurity management can include these governance parts:

  • A governance document (written rule of the organization about how to do it, such as a policy)
  • One individual in charge of cybersecurity (or information governance, with a title, such as Information Security Coordinator, or Chief Information Security Officer (CISO))
  • A group of people to assist with creation of policy and making certain strategic decisions (e.g. Information Governance Committee, Steering Committee, etc.)
    • A person leading that group of people (e.g., Chairperson of committee)

I have articles on each of these parts (see below).

Disclaimer

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform and you assume all risk for cybersecurity decisions you make. This is an introduction and more can be written on this topic.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.

Conclusion

Decisions on information systems have significant effects for organizations relating to mission, compliance, and protection. A committee helps the decision maker arrive at informed and reasonable decisions.

Well managed organizations properly govern their information assets, including people, computer devices, data, and networks.

If your organization has not yet designated someone to take responsibility for cybersecurity, now is the time.

If you are that person in charge of cybersecurity and need help, or if your organization needs help with cybersecurity, feel free to contact me.

Additional reading

This article is hosted at https://johnbandler.com/information-governance-committee, copyright John Bandler, all rights reserved.

Originally posted 4/28/2024, updated 9/26/2024.