Information Security program is a set of processes and documents implemented to execute the organization’s strategy for addressing risks to the confidentiality, integrity, and availability of data. It is important to note, that while Cybersecurity has been a popular marketing word lately, Cybersecurity mainly deals with protecting digital assets. In contrast, Information Security deals with threats to the confidentiality, integrity, and availability of data in all forms and threat vectors. Cybersecurity is an essential component of any Information Security Program.
A mature Information Security Program consists of several components including:
- Information Security Governance and Oversight
- Security Policies, Processes, Standards, etc.
- Risk Management
- Access Management
- Security Incident Monitoring and Response
- Threat and Vulnerability Management
- Security Awareness and Training
- Business Continuity and Disaster Recovery
- Physical Security
- Compliance Management
This is important that the organization has an appointed role (such as CISO) responsible for Information Security Program management.