|
|
(7 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
| | ==Sample Information Security Program Charter== |
| | This Information Security Program Charter serves as the capstone document for the Information Security Program. Information Security policies define Information Security objectives in topical areas. Information Security standards provide more measurable guidance in each policy area. Information Security procedures describe how to implement the standards. |
|
| |
|
| == '''Sample Information Security Program Charter''' == | | ==Objectives== |
| <br>
| |
| Information is an essential '''<Your Company Name>''' asset and is vitally important to '''<Your Company Name>'''’s business operations and long-term viability. '''<Your Company Name>''' must ensure that its information assets are protected in a manner that is cost-effective and that reduces the risk of unauthorized information disclosure, modification, or destruction, whether accidental or intentional.<br>
| |
| <br>
| |
| The '''<Your Company Name>''' (the “Company”) Information Security Program will adopt a risk management approach to Information Security. The risk management approach requires the identification, assessment, and appropriate mitigation of vulnerabilities and threats that can adversely impact Company information assets.<br>
| |
| <br>
| |
| This Information Security Program Charter serves as the “capstone” document for the Company Information Security Program. Information Security policies define Information Security objectives in topical areas. Information Security standards provide more measurable guidance in each policy area. Information Security procedures describe how to implement the standards.<br>
| |
| <br>
| |
| =='''I. Scope'''==
| |
| <br>
| |
| This Information Security Program Charter and associated policies, standards, guidelines, and procedures apply to all employees, contractors, part-time and temporary workers, service providers, and those employed by others to perform work on Company premises, at hosted or outsourced sites, or who have been granted access to Company information or systems.<br>
| |
| <br>
| |
| | |
| =='''II. Information Security Program Mission Statement'''==
| |
| <br>
| |
| The Company Information Security Program will use a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures that address security and privacy objectives in tandem with business and operational considerations.<br>
| |
| <br>
| |
| The Company Information Security Program and relevant policies, standards and guidelines must have the fundamental guidance, procedures, and commentary based upon the ISO 27002 framework. The ISO 27002 standard is the rename of the existing ISO 17799, ISO 17799:2005 standard, and is a code of practice for information security subject to the guidance provided within ISO 27001. The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of organizational security standards and effective security management practices.<br>
| |
| <br>
| |
| The Information Security Program will protect information assets by developing Information Security policies to identify, classify, and define protection and management objectives, and define acceptable use of Company information assets.<br>
| |
| <br>
| |
| The Information Security Program will reduce vulnerabilities by developing Information Security policies to assess, identify, prioritize, and manage vulnerabilities. The management activities will support organizational objectives for mitigating the vulnerabilities, as well as developing and using metrics to gauge improvements in vulnerability mitigation.<br> | | The Information Security Program will reduce vulnerabilities by developing Information Security policies to assess, identify, prioritize, and manage vulnerabilities. The management activities will support organizational objectives for mitigating the vulnerabilities, as well as developing and using metrics to gauge improvements in vulnerability mitigation.<br> |
| <br> | | <br> |
Line 27: |
Line 9: |
| The Information Security Program will ensure that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood by establishing a Security Awareness Program to educate and train the individuals, groups, and organizations covered by the scope of this Information Security Program Charter.<br> | | The Information Security Program will ensure that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood by establishing a Security Awareness Program to educate and train the individuals, groups, and organizations covered by the scope of this Information Security Program Charter.<br> |
| <br> | | <br> |
| | | ==Document Examples== |
| =='''III. Ownership and Responsibilities'''== | | Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br> |
| <br>
| |
| The Board of Directors or its designated committee approves the Company Information Security Program Charter or any future revisions. This Information Security Program Charter assigns executive ownership of and accountability for the Company Information Security Program to the Chief Information Officer (CIO). The CIO must approve Company Information Security policies.<br>
| |
| <br>
| |
| The CIO will appoint a Chief Information Security Officer (CISO) to implement and manage the Information Security Program across the organization. The CISO is responsible for the development of Company Information Security policies, standards and guidelines. The CISO must approve Information Security standards and guidelines, and ensure their consistency with approved Information Security policies. The CISO also will establish a Security Awareness Program to ensure that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood across the organization.<br>
| |
| <br>
| |
| Corporate Risk Management is responsible for ensuring that contracts, licenses, and agreements entered into by the Company comply with and uphold Information Security policies and standards, and that privacy and intellectual property rights are respected.<br>
| |
| <br>
| |
| Company management is accountable for the execution of the Company Information Security Program and ensuring that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood within their respective organizational units. Company management is also responsible for implementing procedures in their organizational units, and ensuring their consistency with approved Information Security policies and standards.<br>
| |
| <br>
| |
| All individuals, groups, or organizations identified in the scope of this Charter are responsible for familiarizing themselves with the Company Information Security Program Charter and complying with its associated policies.<br>
| |
| <br>
| |
| | |
| =='''IV. Enforcement and Exception Handling'''==
| |
| <br>
| |
| Failure to comply with Company Information Security policies, standards, guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
| |
| <br>
| |
| Requests for exceptions to Company Information Security policies, standards, and guidelines should be submitted to the approval authorities designated in the policies, standards, and guidelines. Exceptions shall be permitted only on receipt of written approval from an authorized approval authority.<br>
| |
| <br>
| |
| == '''V. Review and Revision''' ==
| |
| <br>
| |
| The Company Information Security policies, standards, and guidelines shall be reviewed and or revised under the supervision of the CISO, at least annually or upon significant changes to the operating or business environment, to assess their adequacy and appropriateness. A formal report comprising the results and any recommendations shall be submitted to the CIO.<br> | |
| <br>
| |
| <br>
| |
| Approved: _______________________________________________________<br>
| |
| <br>
| |
| :::Signature<br>
| |
| <br>
| |
| :::<Typed Name><br>
| |
| <br>
| |
| :::Chairperson of the Board or authorized designee<br>
| |
| <br> | | <br> |
| | <gallery> |
| | Image:Information Security Program Charter.png|Asset Identification and Classification Standard page one of five. |
| | Image:Information Security Program Charter(1).png|Asset Identification and Classification Standard page two of five. |
| | Image:Information Security Program Charter(2).png|Asset Identification and Classification Standard page three of five. |
| | Image:Information Security Program Charter(3).png|Asset Identification and Classification Standard page four of five. |
| | Image:Information Security Program Charter(4).png|Asset Identification and Classification Standard page five of five. |
| | </gallery> |
Sample Information Security Program Charter
This Information Security Program Charter serves as the capstone document for the Information Security Program. Information Security policies define Information Security objectives in topical areas. Information Security standards provide more measurable guidance in each policy area. Information Security procedures describe how to implement the standards.
Objectives
The Information Security Program will reduce vulnerabilities by developing Information Security policies to assess, identify, prioritize, and manage vulnerabilities. The management activities will support organizational objectives for mitigating the vulnerabilities, as well as developing and using metrics to gauge improvements in vulnerability mitigation.
The Information Security Program will counter threats by developing Information Security policies to assess, identify, prioritize, and monitor threats. The monitoring activities will support organizational objectives for deterring, responding to, and recovering from threats. The monitoring activities also will support the development and use of metrics to gauge the level of threat activity and the effectiveness of the Company threat detection and response capabilities.
The Information Security Program will ensure that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood by establishing a Security Awareness Program to educate and train the individuals, groups, and organizations covered by the scope of this Information Security Program Charter.
Document Examples
Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.
-
Asset Identification and Classification Standard page one of five.
-
Asset Identification and Classification Standard page two of five.
-
Asset Identification and Classification Standard page three of five.
-
Asset Identification and Classification Standard page four of five.
-
Asset Identification and Classification Standard page five of five.