Cyber security is the most important goal in the United States today. In order to achieve this, government agencies and organizations must align the education needed with the required skill-set and knowledge mandatory in the workforce. Information security programs manage business and technical risk by documenting roles and responsibilities in an organization. Information security programs have grown over the last decade because of business-related reasons such as cost control and regulatory requirements. An effective program helps maintain trust between business partners and customers while facilitating guidelines and decision-making in protecting information (Onsett). They provide confidentiality, integrity, and availability for information (stored or in transit) and several other security elements (Office of the CISO). Especially with concerns to privacy, policies must be complied with and enforced regularly. The Gramm–Leach–Bliley Act mentions three basic privacy rules should be met while dealing with customer information. All individuals and users accessing a network should be aware of the “open nature” of digital information and should assume any event is possible to accessing stored or transferring data. Because no system can absolutely guarantee unauthorized users won’t access information, it is still the responsibility of enterprise to respect and protect it. The protection of information is comprised of the people, process, and technology involved. The vanguard of access control is critical to ensuring the right users have access to the right level of information. Authentication controls must be applied to digital assets so that they are not shared or accessed by unintended users (Cal Poly). Metrics and processes determine how well the organization adheres to the associated policies, procedures, and guidelines and also help tremendously with staying compliant with other regulatory statues such as the Sarbanes-Oxley Act (Onsett). Risk assessments identify threats and vulnerabilities and then determining each impact to information assets. Through adopting best risk management standards and practices, organizations have a more strategic and comprehensive way to manage networks through technical and operational guideline while mitigating threats and vulnerabilities. Assurance that IT systems and resources are appropriately secure regarding the CIA triangle should be provided by existing security standards like ISO/IEC 27002. An organized and comprehensive information security program allows organizations to determine the priority and level of investment needed. An outline of a security program allows a company to determine the levels and priorities of investments needed (Onsett). Responsibilities and Roles
All enterprise activities will be coordinated by a central security program office, structured after the government. The key individuals include the Chief Information Security Officer/Information Systems Security Officer, program manager, business/department manager, system administrator, and a team of analyst. The CISO will be responsible for the overall management and implementation of the program. Respectively, an ISSO will have the duty of creating and maintaining security documentations while enhancing, monitoring, and handling incidents on the network or system. The Program Manager will be responsible for organizing the lifecycle planning (acquisitions/operations) for the development of the program while ensuring security and business aspects such as funding and implementing systems. The system administrators will perform all the daily tasks such as incident reports and change request. They will be overlooked and managed by the business or department managers who have the role of assigning and separating duties separation of duties to employees while meeting the expectation and standards of the company. The relationship between...