Review and evaluation of information security program Term Paper

Review and evaluation of information security program - Term Paper Example Introduction 3 2. Information security governance and its strategy 4 3. Regulations for information security in banking software industry and their influence on governance of the security program 4 4. Information security governance model and framework 6 5. Implementation of company’s security program, challenges and their remedies 12 6. Measuring the company’s information security program success 13 7. What is working well within the company’s security program? 14 8. What is not working well within the company’s security program? 16 9. Improvement of information security governance 17 10. conclusion 18 Review and evaluation of information security program 1. Introduction An IT oriented company is more prone to information security risks than a regular institution. The company in consideration provides banking software services which is a complex task requiring complete security to its clients. The company consists of several departments such as administra tion, finance, software development among others making the total workforce to be over 200 individuals. The company Information security governance formulates strategic goals, ensures achievement of goals, manages risks; make use of resources, and carefully assesse the achievement of the information security program. ... Previously the company has not had well-structured procedures to evaluate attainment of the set information security objectives in order to take appropriate intervention measures. As of now the company has an efficient approach to management of security threats and risks. This approach has been made possible by implementation of some aspects of security management. Information security policies According to Monaghan (2009), there are various security policies that ensure effective information security governance and provide a way of protecting organization’s information assets (information and  information systems) from destruction, disruption, unauthorized access, use or disclosure. Personal Communication Devices and Voicemail policy describes Information Security's requirements for usage of Personal Communication Devices and Voicemail that include all handheld wireless devices, wireless cards and pagers for an organization. Bluetooth devices and voicemail boxes are issued to authorized personnel upon approval. This policy further dictates that files containing data that is deemed sensitive shall never be stored on these devices. Physical security policy governs access to facilities housing critical information systems and back-up systems like the company server rooms. These facilities are subject to access monitoring enabling the capture of identity of the person entering or exiting as well as the timestamp. This policy ensures secure location of network devices, servers and storage media are accessed by authorized personnel and that entry codes are changed periodically where locking mechanisms with keypads are used. It gives