Over the past few years there has been a heightened emphasis on cyber security. Recently, auditors in California have asked clubs to provide a report showing that their networks are “secure.” We have seen the auditors’ request and think it’s a good one. However, there are no real guidelines as to what should be on the security report.

During the past few years we have assisted a number of clubs to satisfy the auditors’ request for documented IT security. Without specified guidelines, however, it’s unclear how to go about it. The best place to start is to form an IT Security Committee. We can hear you sighing, “just what we needed … another Committee.” This, however, isn’t a member Committee, but rather a department head committee.

Who should be on the IT Security Committee?

There’s no one right answer to this question, but we’ve found that the following personnel works best.

• General Manager
• Controller
• Head of Human Resources
• Director of Security/Outsourced Security
• Internal IT/Outsourced IT
• Facilities Manager

You may also consider including the Chef, Director of Golf, Superintendent, and other key department heads.

Why should a private club form an IT Security Committee?

Here are a few reasons why this makes sense.

• Facilitates IT governance
• Removes IT department silos
• Provides organizational buy-in

What is IT Governance and how is it done at private clubs today?

IT Governance is the overall management of how the club’s IT systems are set up, supported, and maintained. Most clubs (and other kinds of businesses throughout the US) have ceded IT Governance to their outsourced IT vendors, who have set all the club’s IT policies. These polices include passwords, data backups, Web browsing, and computer patch policy, among many other policies that every club has. Unfortunately, we’ve found that very few, if any, of these policies are documented, reviewed, or followed.

Is there a better model for IT Governance?

We believe there is. And it starts with the IT Security Committee. Proper IT Governance should come from an internal IT Security Committee working in conjunction with the local outsourced IT company to set policy. The current setup has the outsourced IT company making all the decisions for blocking illicit websites, creating passwords and backups, providing remote access, and monitoring other areas.

An alternative model would have the IT Security Committee set policy with input from the outsourced IT vendor. The outsourced IT company would carry out the policy set by the IT Security Committee. A number of the club’s key IT policies should be reviewed and overhauled by the IT Security Committee. Then the club should engage an outside third party

(possibly the Auditors) to verify that the policies set by the IT Security Committee are properly installed and documented by the outsourced IT company. This would provide needed checks and balances to the current IT support structure.

The “Security Committee” concept would remove IT departmental silos as well. This structure, in use at a number of private clubs today, has the Facilities Director managing the security cameras, and the Controller overseeing the data network. This is a good example of IT silos. It’s rare that these two departments would collaborate on the overall setup of the club’s different systems.

The IT Security Committee brings all the departments together, which fundamentally changes the overall IT structure from a departmental view of IT to an organizational view. Going forward, an organizational approach would give the club a global view of the current and

future IT systems. A benefit of this setup would be buy-in from members of the IT Security Committee as a group. This is a significant change from the departmental approach. We often hear department heads complain that new IT systems are selected without their input. Basically, the organizational approach proactively brings the department heads to the table, to get their input and buy-in on new platforms.

In addition to IT Governance, the IT Committee would also review and approve IT Policies. We’ve found that there are several key areas for which polices need to be set. Below are a few that we found the auditors are specifically looking for.

• Passwords
• Onsite and offsite backups (archive)
• Blocking illicit websites
• Blocked countries
• Microsoft and third-party workstations

It is important for the IT Committee to be wary of creating too many IT policies. If you create a policy, it must be followed. The five policy areas listed above are the ones that you might want to focus on first.

Another benefit of creating these polices is accountability. Documenting the referenced policies forces the outsourced IT company to follow them. In the event of a data breach, and it was found that these polices were not followed, then the outsourced IT company would be liable for any damages. These policies, for the first time, hold organizations accountable for the management of the club’s systems.

We hope that clubs will find this management model helpful. The reality is that auditors’ IT security requests are not going away. In fact, they will probably increase over time. A private club is going to have to rethink older IT management practices. Taking an organizational approach to managing the long-term IT security for the club is a practical way to solve this problem, and we hope this document helps you get started.