Sample Information Security Program Charter:: Difference between revisions
| Line 25: | Line 25: | ||
The Information Security Program will ensure that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood by establishing a Security Awareness Program to educate and train the individuals, groups, and organizations covered by the scope of this Information Security Program Charter.<br> | The Information Security Program will ensure that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood by establishing a Security Awareness Program to educate and train the individuals, groups, and organizations covered by the scope of this Information Security Program Charter.<br> | ||
<br> | <br> | ||
=='''III. Ownership and Responsibilities'''== | =='''III. Ownership and Responsibilities'''== | ||
<br> | <br> | ||
Revision as of 06:29, 15 April 2007
Sample Information Security Program Charter
Information is an essential EPCCO asset and is vitally important to EPCCO’s business operations and long-term viability. EPCCO must ensure that its information assets are protected in a manner that is cost-effective and that reduces the risk of unauthorized information disclosure, modification, or destruction, whether accidental or intentional.
The EPCCO (the “Company”) Information Security Program will adopt a risk management approach to Information Security. The risk management approach requires the identification, assessment, and appropriate mitigation of vulnerabilities and threats that can adversely impact Company information assets.
This Information Security Program Charter serves as the “capstone” document for the Company Information Security Program. Information Security policies define Information Security objectives in topical areas. Information Security standards provide more measurable guidance in each policy area. Information Security procedures describe how to implement the standards.
I. Scope
This Information Security Program Charter and associated policies, standards, guidelines, and procedures apply to all employees, contractors, part-time and temporary workers, service providers, and those employed by others to perform work on Company premises, at hosted or outsourced sites, or who have been granted access to Company information or systems.
II. Information Security Program Mission Statement
The Company Information Security Program will use a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures that address security and privacy objectives in tandem with business and operational considerations.
The Information Security Program will protect information assets by developing Information Security policies to identify, classify, and define protection and management objectives, and define acceptable use of Company information assets.
The Information Security Program will reduce vulnerabilities by developing Information Security policies to assess, identify, prioritize, and manage vulnerabilities. The management activities will support organizational objectives for mitigating the vulnerabilities, as well as developing and using metrics to gauge improvements in vulnerability mitigation.
The Information Security Program will counter threats by developing Information Security policies to assess, identify, prioritize, and monitor threats. The monitoring activities will support organizational objectives for deterring, responding to, and recovering from threats. The monitoring activities also will support the development and use of metrics to gauge the level of threat activity and the effectiveness of the Company threat detection and response capabilities.
The Information Security Program will ensure that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood by establishing a Security Awareness Program to educate and train the individuals, groups, and organizations covered by the scope of this Information Security Program Charter.
III. Ownership and Responsibilities
The Chief Executive Officer (CEO) approves the Company Information Security Program Charter. This Information Security Program Charter assigns executive ownership of and accountability for the Company Information Security Program to the Chief Information Officer (CIO). The CIO must approve Company Information Security policies.
The CIO will appoint a Chief Information Security Officer (CISO) to implement and manage the Information Security Program across the organization. The CISO is responsible for the development of Company Information Security policies, standards and guidelines. The CISO must approve Information Security standards and guidelines, and ensure their consistency with approved Information Security policies. The CISO also will establish a Security Awareness Program to ensure that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood across the organization.
Legal counsel is responsible for ensuring that contracts, licenses, and agreements entered into by the Company comply with and uphold Information Security policies and standards, and that privacy and intellectual property rights are respected.
Company management is accountable for the execution of the Company Information Security Program and ensuring that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood within their respective organizational units. Company management is also responsible for defining, approving and implementing procedures in their organizational units, and ensuring their consistency with approved Information Security policies and standards.
All individuals, groups, or organizations identified in the scope of this Charter are responsible for familiarizing themselves with the Company Information Security Program Charter and complying with its associated policies.
IV. Enforcement and Exception Handling
Failure to comply with Company Information Security policies, standards, guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to Company Information Security policies, standards, and guidelines should be submitted to the approval authorities designated in the policies, standards, and guidelines. Exceptions shall be permitted only on receipt of written approval from an authorized approval authority.
V. Review and Revision
The Company Information Security policies, standards, and guidelines shall be reviewed under the supervision of the CISO, at least annually or upon significant changes to the operating or business environment, to assess their adequacy and appropriateness. A formal report comprising the results and any recommendations shall be submitted to the CIO.
Approved: _______________________________________________________
- Signature
- Signature
- <Typed Name>
- <Typed Name>
- Chief Executive Officer
- Chief Executive Officer