Sample Information Security Program Charter:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Sample Information Security Program Charter==
This Information Security Program Charter serves as the capstone document for the Information Security Program. Information Security policies define Information Security objectives in topical areas. Information Security standards provide more measurable guidance in each policy area. Information Security procedures describe how to implement the standards.


== '''Sample Information Security Program Charter''' ==
==Objectives==
The Information Security Program will reduce vulnerabilities by developing Information Security policies to assess, identify, prioritize, and manage vulnerabilities. The management activities will support organizational objectives for mitigating the vulnerabilities, as well as developing and using metrics to gauge improvements in vulnerability mitigation.<br>
<br>
<br>
Information is an essential '''<Your Company Name>''' asset and is vitally important to '''<Your Company Name>'''’s business operations and long-term viability. '''<Your Company Name>''' must ensure that its information assets are protected in a manner that is cost-effective and that reduces the risk of unauthorized information disclosure, modification, or destruction, whether accidental or intentional.<br>
The Information Security Program will counter threats by developing Information Security policies to assess, identify, prioritize, and monitor threats. The monitoring activities will support organizational objectives for deterring, responding to, and recovering from threats. The monitoring activities also will support the development and use of metrics to gauge the level of threat activity and the effectiveness of the Company threat detection and response capabilities.<br>
<br>
The '''<Your Company Name>''' (the “Company”) Information Security Program will adopt a risk management approach to Information Security. The risk management approach requires the identification, assessment, and appropriate mitigation of vulnerabilities and threats that can adversely impact Company information assets.<br>
<br>
This Information Security Program Charter serves as the “capstone” document for the Company Information Security Program.  Information Security policies define Information Security objectives in topical areas. Information Security standards provide more measurable guidance in each policy area. Information Security procedures describe how to implement the standards.<br>
<br>
=='''I. Scope'''==
<br>
This Information Security Program Charter and associated policies, standards, guidelines, and procedures apply to all employees, contractors, part-time and temporary workers, service providers, and those employed by others to perform work on Company premises, at hosted or outsourced sites, or who have been granted access to Company information or systems.<br>
<br>
=='''II. Information Security Program Mission Statement'''==
<br>
The Company Information Security Program will use a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures that address security and privacy objectives in tandem with business and operational considerations.<br>
<br>
The Information Security Program will protect information assets by developing Information Security policies to identify, classify, and define protection and management objectives, and define acceptable use of Company information assets.<br>
<br>
The Information Security Program will reduce vulnerabilities by developing Information Security policies to assess, identify, prioritize, and manage vulnerabilities.  The management activities will support organizational objectives for mitigating the vulnerabilities, as well as developing and using metrics to gauge improvements in vulnerability mitigation.<br>
<br>
The Information Security Program will counter threats by developing Information Security policies to assess, identify, prioritize, and monitor threats. The monitoring activities will support organizational objectives for deterring, responding to, and recovering from threats. The monitoring activities also will support the development and use of metrics to gauge the level of threat activity and the effectiveness of the Company threat detection and response capabilities.<br>
<br>
<br>
The Information Security Program will ensure that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood by establishing a Security Awareness Program to educate and train the individuals, groups, and organizations covered by the scope of this Information Security Program Charter.<br>
The Information Security Program will ensure that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood by establishing a Security Awareness Program to educate and train the individuals, groups, and organizations covered by the scope of this Information Security Program Charter.<br>
<br>
<br>
=='''III. Ownership and Responsibilities'''==
==Document Examples==
<br>
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
The Chief Executive Officer (CEO) approves the Company Information Security Program Charter. This Information Security Program Charter assigns executive ownership of and accountability for the Company Information Security Program to the Chief Information Officer (CIO). The CIO must approve Company Information Security policies.<br>
<br>
The CIO will appoint a Chief Information Security Officer (CISO) to implement and manage the Information Security Program across the organization. The CISO is responsible for the development of Company Information Security policies, standards and guidelines. The CISO must approve Information Security standards and guidelines, and ensure their consistency with approved Information Security policies. The CISO also will establish a Security Awareness Program to ensure that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood across the organization.<br>
<br>
Legal counsel is responsible for ensuring that contracts, licenses, and agreements entered into by the Company comply with and uphold Information Security policies and standards, and that privacy and intellectual property rights are respected.<br>
<br>
Company management is accountable for the execution of the Company Information Security Program and ensuring that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood within their respective organizational units. Company management is also responsible for defining, approving and implementing procedures in their organizational units, and ensuring their consistency with approved Information Security policies and standards.<br>
<br>
All individuals, groups, or organizations identified in the scope of this Charter are responsible for familiarizing themselves with the Company Information Security Program Charter and complying with its associated policies.<br>
<br>
=='''IV. Enforcement and Exception Handling'''==
<br>
Failure to comply with Company Information Security policies, standards, guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to Company Information Security policies, standards, and guidelines should be submitted to the approval authorities designated in the policies, standards, and guidelines.  Exceptions shall be permitted only on receipt of written approval from an authorized approval authority.<br>
<br>
== '''V. Review and Revision''' ==
<br>
The Company Information Security policies, standards, and guidelines shall be reviewed and or revised under the supervision of the CISO, at least annually or upon significant changes to the operating or business environment, to assess their adequacy and appropriateness. A formal report comprising the results and any recommendations shall be submitted to the CIO.<br>
<br>
<br>
Approved:        _______________________________________________________<br>
<br>
:::Signature<br>
<br>
:::<Typed Name><br>
<br>
:::Chairperson of the Board or authorized designee<br>
<br>
<br>
<gallery>
Image:Information Security Program Charter.png|Asset Identification and Classification Standard page one of five.
Image:Information Security Program Charter(1).png|Asset Identification and Classification Standard page two of five.
Image:Information Security Program Charter(2).png|Asset Identification and Classification Standard page three of five.
Image:Information Security Program Charter(3).png|Asset Identification and Classification Standard page four of five.
Image:Information Security Program Charter(4).png|Asset Identification and Classification Standard page five of five.
</gallery>

Latest revision as of 15:19, 13 January 2014

Sample Information Security Program Charter

This Information Security Program Charter serves as the capstone document for the Information Security Program. Information Security policies define Information Security objectives in topical areas. Information Security standards provide more measurable guidance in each policy area. Information Security procedures describe how to implement the standards.

Objectives

The Information Security Program will reduce vulnerabilities by developing Information Security policies to assess, identify, prioritize, and manage vulnerabilities. The management activities will support organizational objectives for mitigating the vulnerabilities, as well as developing and using metrics to gauge improvements in vulnerability mitigation.

The Information Security Program will counter threats by developing Information Security policies to assess, identify, prioritize, and monitor threats. The monitoring activities will support organizational objectives for deterring, responding to, and recovering from threats. The monitoring activities also will support the development and use of metrics to gauge the level of threat activity and the effectiveness of the Company threat detection and response capabilities.

The Information Security Program will ensure that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood by establishing a Security Awareness Program to educate and train the individuals, groups, and organizations covered by the scope of this Information Security Program Charter.

Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.