Information Security Governance Framewoek

Area Organizational Unit Security Program Procedures Periodic assessment of the risk and magnitude of the harm that could result from the unauthorized use, disclosure, disruption, modification, or destruction of such information or information systems. Policies and procedures that are based on risk assessments and cost-effectively reduce information security risks to an acceptable level. Seeing that information security is addressed throughout the life cycle of each information system. Pursuing compliance with the requirements of this document, policies, and procedures as may be prescribed by the Senior Executive, and any other applicable legal, regulatory, or contractual requirements. Subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems, as appropriate. Security awareness training to inform personnel, including contractors and other users, of information systems who support the operations and assets of the organizational unit. Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency depending on risk, but no less than annually. A process for pursuing remedial action to address any deficiencies in the information security policies, procedures, and practices. Procedures for detecting, reporting, and responding to security incidents Report periodically to the appropriate senior executive on the adequacy and effectiveness of the information security program, including compliance with the requirements of this document. Address the adequacy and effectiveness of the information security program in the organizational units budget, investment, and performance plans and reports. Report any significant deficiency in organizational information security practices, planned remedial actions to address such deficiencies, and an indication of the level of residual risk deemed acceptable. In consultation with the appropriate senior executive, report as part of the performance plan a description of the time periods, and the resources, including budget, staffing, and training, that are necessary to implement the information security program elements required. Provide customers and business partners with timely notice and opportunities for comment on proposed information security policies and procedures to the extent that such policies and procedures affect communication with them. Testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the organizational units information systems Status Notes

Organizational Unit Reporting

Independent Information Security Program Evaluation

An assessment of compliance with the requirements of this document and related information security policies, procedures, standards, and guidelines Should be performed in accordance with generally accepted auditing standards May be based in whole or in part on an audit, evaluation, or report relating to programs or practices of the applicable organizational unit Organizational units and evaluators should take appropriate steps to ensure the protection of related information, which, if disclosed, may adversely affect information security. Such protections should be commensurate with the risk and comply with all applicable laws and regulations. The Senior Executive should summarize the results of the evaluations conducted under this section in a report to the Board of Directors/Trustees, or a similar governance entity in which such an entity exists.