Purpose of the Information Security Steering Committee

The Information Security Steering Committee (ISSC) oversees the organization's information security program, ensuring alignment with strategic goals and regulatory requirements. Sharing critical information, such as audit and compliance reports, enables informed decision-making and prioritization of security initiatives​​.

Importance of Audit and Compliance Reports

Audit Reports:These highlight vulnerabilities, non-compliance areas, and operational inefficiencies. Reviewing audit reports helps the ISSC address gaps proactively.

Compliance Reports:These ensure the organization meets regulatory and legal requirements, reducing the risk of fines, legal action, and reputational damage.

Sharing these reports ensures the committee is updated on the organization's current security posture and areas needing improvement.

Explanation of Other Options

A. Include a mix of members from different departments and staff levels:While having diverse members is beneficial for representation and perspective, it is not information to be "shared" with the committee.

C. Ensure that security policies and procedures have been vetted and approved:This is an operational requirement rather than the primary focus of information sharing during committee meetings.

D. Be briefed about new trends and products at each meeting by a vendor:Briefings from vendors may be useful occasionally but are not as critical as reviewing audit and compliance reports for ensuring the organization's security posture.

EC-Council CISO Guidance

The EC-Council CISO framework emphasizes the importance of governance, where oversight bodies like the ISSC are provided with actionable insights derived from audits and compliance evaluations. This allows the committee to make strategic decisions and enforce accountability​​.