CSOL 540 Assignment 1: Security Program Charter Marc Leeka

Sample Corporation Information Security Program Charter

Sample Corporations vision is to help people enjoy a healthy life by offering affordable
solutions to health care insurance. We provide innovative and outstanding products and
unsurpassed service that, combined, deliver exceptional value to our customers. We are
personally accountable for delivering these commitments to our customers, who at the same time
are also our shareholders.

Information is an essential Sample Corporation asset and is vitally important to Sample

Corporations business operations and long-term viability. Sample Corporation will ensure that
its information assets are protected in a manner that is cost-effective and that reduces the risk of
unauthorized information disclosure, modification, or destruction, whether accidental or
intentional.

Sample Corporations Information Security Program will adopt a risk management approach to
Information Security. The risk management approach requires the identification, assessment, and
appropriate mitigation of vulnerabilities and threats that can adversely impact Sample
Corporations information assets.

This Information Security Program Charter serves as the capstone document for the Sample
Corporation Information Security Program. Policies further define the Information Security
objectives in topical areas. Standards provide more measurable guidance in each policy area.
Procedures describe how to implement the standards.

I. Scope

This Information Security Program Charter and associated policies, standards, guidelines, and
procedures apply to all employees, contractors, part-time and temporary workers, and those
employed by others to perform work on Sample Corporation premises or who have been granted
access to Sample Corporation information or systems.

This Information Security Program Charter and associated policies, standards, guidelines, and
procedures apply to all business units, physical locations, technology systems and data.

II. Information Security Program Mission Statement

The Information Security Program will comply with relevant legal and regulatory requirements
to ensure that statutory obligations are met, clients expectations are managed, and civil or
criminal penalties are avoided.

The Information Security Program will adopt a risk-based approach to ensure that information
security risks are treated in a consistent and effective manner.

1
CSOL 540 Assignment 1: Security Program Charter Marc Leeka

The Information Security Program will protect information assets by developing policies to
identify, classify, define protection and management objectives, and define acceptable use of
Sample Corporation information assets.

The Information Security Program will ensure that information security is integrated into
essential business activities.

The Information Security Program will safeguard the confidentiality, integrity, and availability
of the network, systems, and applications. The program will protect and prevent information that
is confidential or sensitive from unauthorized uses or disclosures. The management activities
will support organizational objectives for mitigating the vulnerabilities as well as developing and
using metrics to gauge improvements in vulnerability mitigation.

The Information Security Program will provide security awareness training and education for all
Sample Corporation employees in any capacity, contractors and others who are within the scope
of this Charter to ensure that the Charter and associated policies, standards, guidelines, and
procedures are properly communicated and understood.

The Information Security Program will achieve a proactive response model. The program will
counter threats by developing policies to assess, identify, prioritize, and monitor threats. The
monitoring activities will support organizational objectives for deterring, responding to, and
recovering from threats. The monitoring activities also will support the development and use of
metrics to gauge the level of threat activity and the effectiveness of the corporations threat
detection and response capabilities. The program will foster a security-positive culture that
influences the behavior of end users to reduce the likelihood of information security incidents,
and limit their potential business impact.

III. Ownership and Responsibilities

The Chief Executive Officer approves this Sample Corporation Information Security Program
Charter. The Information Security Program Charter assigns executive ownership of and
accountability for the Sample Corporation Information Security Program to the Chief
Information Officer (CIO). The CIO must approve Information Security policies.

The CIO will appoint a Chief Information Security Officer (CISO) to implement and manage the
Information Security Program across the organization. The CISO is responsible for the
development of Sample Corporation Information Security policies, standards and guidelines, and
ensure their consistency with approved Information Security policies. The CISO also will
establish an Information Security Awareness Program to ensure that the Information Security
Charter and associated policies, standards, guidelines, and procedures are properly
communicated and understood across the organization.

2
CSOL 540 Assignment 1: Security Program Charter Marc Leeka

The CISO will convene an Information Security Council that shall include representatives of the
major institutional data owners, the Office of Legal Counsel and others as deemed appropriate.
The Information Security Council is responsible for:
Coordinating and directing the security framework, including the information security
controls within the organization;
Making appropriate recommendations on information security policy and related documents;
Periodically reviewing information security policy and related documents to ensure the
efficiency and effectiveness of the information security control infrastructure as a whole,
recommending improvements wherever necessary;
Identifying significant trends and changes to the organizations information security risks
and, where appropriate, proposing changes to the controls framework;
Reviewing serious security incidents and, where appropriate, recommending strategic
improvements to address any underlying root causes;
Periodically reviewing reports on the status of the security controls infrastructure as supplied
by the Chief Information Security Officer;
Assist in publicizing and implementing information security policy documents, controls, and
best practices within their divisions.
All individuals, groups, or organizations identified in the scope of this Charter are responsible for
familiarizing themselves with the Sample Corporation Information Security Program Charter and
complying with its associated policies.

IV. Enforcement and Exception Handling

Failure to comply with Sample Corporation Information Security policies, standards, guidelines
and procedures will result in disciplinary actions up to and including termination of employment
for employees or termination of contracts for contractors, partners, consultants, and other
entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to Sample Corporation Information Security policies, standards, and
guidelines should be submitted to the Information Security Council. Exceptions shall be
permitted only on receipt of written approval from the CISO or CIO.

V. Review and Revision

The Sample Corporation Information Security policies, standards, and guidelines shall be
reviewed under the supervision of the CISO, either annually or upon significant changes to the
operating or business environment, to assess their adequacy and appropriateness. A formal report
comprising the results and any recommendations shall be submitted to the CIO.

3
CSOL 540 Assignment 1: Security Program Charter Marc Leeka

Approved: ____________________________________ ____________

Signature Date

Chief Executive Officer

Sample Corporation

Additional reference materials:

Information Security Charter. (n.d.). Retrieved September 6, 2016, from

https://www.infotech.com/research/information-security-charter.

Information Security Charter. (2016, July). Retrieved September 6, 2016, from

http://policylibrary.columbia.edu/information-security-charter