List of the Security Program Documentation
Security Program Charter: This document will illustrate the mission and mandate of the information security program, as well as its overall strategy.
It also generally has the scope of the program, documented roles, and responsibilities, the risk mgmt. A system that will be utilized, and the communication framework for information going into the program and out of the program.
Security Policies, Standards, and Guidelines: This documentation is generally what most people believe a security program to be. It is a suite of documentation, that are sometimes either combined or at times are individual groups of documents.
They usually exist in the following domains, though this can vary depending on the best practice framework, if any, that were used in their design. Common best practice frameworks that are used are ISO27001 or NIST 800-53.
-Information Security Governance
- -Incident Management
- -Security Operations
- -Vulnerability Management
- -Acceptable Use
- -Identity Management
- -Security Architecture
- -Network Security
- -Application Security
The documents generally contain policy statements, which set the direction and overall organizational position on a domain of security, the standards, which are more the requirements to further define this position, as well as optional requirements which are defined as guidelines.
Security Program Documentation Procedures and Processes
Another common suite of documentation is the documented security procedures and processes for common responsibilities of the security program.
Common process and procedure documentation will be in the following areas:
-Security Program Management
-Security Operations Management
-Security Policy Management
-Training and Awareness
Need a solid Information Security Foundation in your organization? Let us know how we can help
Mike Gentile, President, and CEO of CISOSHARE and Author of CISO Handbook and CISO Soft Skills has been building information security programs for more than 20 years. He has built, in a full-time or consulting role more than 100+ information security programs across every industry in both private and public environments.
His first book, the CISO Handbook, was one of the first published works to provide a step-by-step methodical approach to building a security program. This methodology is used as courseware in many advanced teaching organizations on security leadership and has been implemented in thousands of organizations around the world.