Information Security Program
For every security assessment conducted within an organization, there should be a list of action items to close any identified gaps. These action items should be transferred into a strategy for execution. Also within the organization, there should be an awareness plan which outlines all the activities for a year that will keep security in the forefront of the minds of all staff. The Information Security Program is a combination of the Security Strategy and Security Awareness Plan, in line with the mission and vision of the organization.
- Policy is documented, approved, followed, reviewed, and updated regularly
- Policy should be standards-based in order to evolve over time
- Include Appropriate Use so employees know what they may and may not do