ABSTRACT
An information security program is the umbrella heading for all security measures a company has in place. An information security program can contain many elements including physical security, system security, and internal controls that can touch virtually every part of an organization. Information security programs can vary significantly by organization. Some companies might have an extensive and formalized information security program based on a well-thought-out information security strategy, but another organization’s idea of information security might be some physical security and password management. It varies greatly, and you will likely run into different scenarios as you conduct security assessments. This chapter will discuss the key elements of information security programs and how security assessments fit into the overall security picture. Understanding what an information security program is will develop a good foundation for discussing security assessment methodology, as much of what you will evaluate during an assessment will be the information security program. The recommendations you make at the end of the security assessment will be to enhance the overall information security program. Therefore, it is important to understand the key elements of an information security program before discussing the methodology.
