Information security program documentation is important to ensuring that the program is adhered to throughout an organization. This documentation can serve as a means of establishing a benchmark for the security program so that your organization can see the impact of any change and progress.
The documentation should also provide enough information to help employees answer any customer-requested questionnaires and assessments, and serve as a guide for any new and existing employees on the security team and how it’s defined within the company.
The key documents that should be included within a security program include the following items:
Security Program Charter: This document will illustrate the mission and mandate of the information security program, as well as its overall strategy.
It also generally has the scope of the program, documented roles, and responsibilities, the risk mgmt. A system that will be utilized, and the communication framework for information going into the program and out of the program.
Security Policies, Standards, and Guidelines: This documentation is generally what most people believe a security program to be. It is a suite of documentation, that are sometimes either combined or at times are individual groups of documents.
They usually exist in the following domains, though this can vary depending on the best practice framework, if any, that were used in their design. Common best practice frameworks that are used are ISO27001 or NIST 800-53.
- Information Security Governance
- Risk Management
- Compliance
- Incident Management
- Security Operations
- Vulnerability Management
- Acceptable Use
- Identity Management
- Security Architecture
- Network Security
- Application Security
- Business Continuity
The documents generally contain policy statements, which set the direction and overall organizational position on a domain of security, the standards, which are more the requirements to further define this position, as well as optional requirements which are defined as guidelines.
Security Program Documentation Procedures and Processes
Another common suite of documentation is the documented security procedures and processes for common responsibilities of the security program.
Common process and procedure documentation will be in the following areas:
- Security Program Management
- Security Operations Management
- Risk Management
- Vulnerability Management
- Incident Management
- Security Policy Management
- Compliance Management
- Training and Awareness