A security program is a system for protecting the confidentiality, integrity, and availability of information within a business.
If you were to walk into an organization and ask “Where is the information security program?” you would most likely get this answer: It’s with the group charged with managing security. But who are they exactly?
In most organizations, the information security program will be led by the Chief Information Security Officer or CISO. This job is often also called the manager deputy director, director or vice president of information security.
Watch Exclusive Video: Tips & Techniques to Enable Informed Decision Making from your Information Security Program
Security Program Documentation
The most commonly known security program documentation is represented in the suite of security policy documentation and the security program charter.
The security program charter describes the mission and mandate of the security group, while the security policies describe the rules for the organization as it relates to information security.
Security Program Structure
This describes the way the group is organized. It can be one group for the organization, multiple groups per business unit, or something in between.
Functional Capability of Health Security Program
Any healthy security program must be able to do 4 things:
1. Set a benchmark for security
2. Measure against the benchmark
3. Enable management decisions
4. Support execution of those decisions
Management of Security Architecture
The security architecture in an organization is the people, process, and technical safeguards that either prevent security events from occurring (preventive safeguards) or detect if they have occurred (detective safeguards).
A key responsibility of a security program is to manage the effectiveness of these safeguards, as well as to ensure that they are appropriate for the environment.
CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles