Management of Information Security, 2
Chapter 5: Developing the Security Program
What is an information security program?
Answer: An information security program is the structure and organization of the effort
that contains risks to the information assets of the organization
What functions constitute a complete information security program?
Answer: Risk Management, Risk Assessment, Systems Testing, Policy, Legal
Assessment, Incident Response, Planning, Measurement, Compliance, Centralized
Authentication, Systems Security Administration, Training, Network Security
Administration, Vulnerability Assessment.
What organizational variables can influence the size and composition of an information
security program’s staff? Budget, sensitivity of information, regulations, and profitability
Answer: Budget, sensitivity of information, regulations, and profitability
What is the typical size of the security staff in a small organization? A medium-sized
organization? A large organization? A very large organization?
Answer: Small – 1 fulltime, with 1 or 2 assistants.
Medium – 1 fulltime, with 2 or 3 assistants.
Large – 1-2 fulltime admins, 3-4 techs, 16 assistants
Very Large – 20 fulltime, 40 assistants
Where can an organization place the information security unit? Where should (and
shouldn’t) it be placed?
Answer: InfoSec is often located within the information technology department, headed