Policy
Policy Name
Information Security Program Policy

Overview
An Information Security Program oversees the establishment and maintenance of information security policies, standards, and initiatives. In order to meet business objectives, the Security Program will establish security roles and provide oversight to security activities across the organization to meet regulations, reduce risk to threats and enforce policies.

Statement
  • The organization must have an information security program responsible for the establishment and maintenance of information security policies and security activities.
  • The program must be approved by executive management, published, executed and communicated appropriately.
  • The organization must have an owner responsible for information security policies and oversight of security activities.
  • Information Security Polices must be reviewed at least annually and updated as appropriate for accuracy and completeness.
  • Information Security Policies must include high level objectives and statements that individuals must follow to meet business, security and regulatory compliance requirements.
  • Information Security Policies are mandatory and supported by standards and procedures. Procedures include how policies and supporting standards should be implemented.

Justification

The following benefits will be achieved:

  • Up-to-date and current policies
  • Better oversight and coordination of security activities
  • Prioritization of security initiatives to better align with threats and business objectives

Scope
All employees, contractors, agents and third-parties

Consequeces for Noncompliance
Noncompliance to this policy can result in disciplinary action up to and including termination of employment or contract.

Topics
Information Security Program