This post tries to explain what is an Information Security Program.
What is an Information Security Program?
According to ISACA, an information security program (ISP) is a set of activities that provide assurance that information assets are given a level of protection commensurate with their value or with the risk their compromise poses to the organization.
An ISP includes a coordinated set of activities, projects and/or initiatives to implement the information security strategy and manage the program.
Information security program management includes directing, overseeing and monitoring activities related to information security in support of organizational objectives.
What are the components of an Information Security Program?
Some possible components:
- Policies, standards, procedures, and security guidelines
- Security architecture
- Classification of information assets
- Risk Management
- Incident Respose program
- Security Awareness Program
- Security Metrics Monitoring
How is a written Information Security Program?
A written information security program (WISP) can be legally required in some states in the USA.
You might also be interested in…
External References
- ISACA; “CISM Review Manual 2013”, Chapter 3 “Information Security Program Development and Management”; ISACA (2013)
- Fortra’s Terranova Security; “Defining an Information Security Program“; Fortra’s Terranova Security
- “What is a Written Information Security Program? (WISP)?“