Infrastructure contracts trust and institutional updating
No matter how large or small your company is, you need to have a plan to ensure the security of your information assets.
Such a plan is called a security program by information security professionals.
It’s also not a guide to doing periodic assessments, though it probably does dictate when to do a security assessment (see The Barking Seal Issue Q2 2008).
Your security program defines what data is covered and what is not.
It takes a holistic approach that describes how every part of your company is involved in the program.
A security program is not an incident handling guide that details what happens if a security breach is detected (see The Barking Seal Issue Q1 2006).
Regulatory standards that might affect you include HIPAA (for patient information), PCI (for credit card processing), FISMA (for governmental agencies and contractors, see The Barking Seal Q4 2006), Sarbanes-Oxley, and Gramm-Leach- Bliley (for corporate financial management). Audit compliance plan This component of your security program dictates how often you will audit your IT security and assess its compliance with your security program.It assesses the risks your company faces, and how you plan to mitigate them.It indicates how often the program will be re-evaluated and updated, and when you will assess compliance with the program.Consider the following examples: Having a security program means that you’ve taken steps to mitigate the risk of losing data in any one of a variety of ways, and have defined a life cycle for managing the security of information and technology within your organization.Hopefully the program is complete enough, and your implementation of the program is faithful enough, that you don’t have to experience a business loss resulting from a security incident.