A Quick Overview of a Security Program and its Components

A security program is the system of policies and processes for protecting the confidentiality, integrity, and availability of information within a business.

If you were to walk into an organization and ask “Who is in charge of your information security program?” you would most likely get this answer: It’s with the group charged with managing security.

But who’s in this group?

In most organizations, the information security program will be led by the Chief Information Security Officer (CISO). This job is often also called the manager deputy director, director or vice president of information security.

Watch Exclusive Video: Tips & Techniques to Enable Informed Decision Making from your Information Security Program

Security Program Documentation

The most common security program documentation is represented in your suite of security policies and the security program charter.

The security program charter describes the mission and mandate of the security group, while the security policies describe the rules for the organization as it relates to information security.

Security Program Structure

This describes the way the group is organized. It can be one group for the organization, multiple groups per business unit, or something in between.

Functional Capability of Health Security Program

Any healthy security program must be able to do 4 things:

1. Set a benchmark for security by establishing a definition through the charter, policies, and other documentation.

2. Measure against this benchmark to measure changes made to the security program over time.

3. Enable management decisions by communicating any changes and other information from the security program to key stakeholders.

4. Support execution of those decisions once they’ve been made.

Management of Security Architecture

The security architecture in an organization is the people, process, and technical safeguards that either prevent security events from occurring (preventive safeguards) or detect if they have occurred (detective safeguards).

A key responsibility of a security program is to manage the effectiveness of these safeguards, as well as to ensure that they are appropriate for the environment.