Which of the following is the best artifact that directs information security programs? (Wentz QOTD)
A. Program management plan
B. Portfolio charter
C. Program policy
D. Business case
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Program policy.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
A policy is a statement of the management intent which documents objectives, rules, practices, or regulations, directs the activities, and affects the behavior of people.
A policy refers to “intentions and direction of an organization as formally expressed by its top management.” (ISO 21401:2018)
A policy is a “set of rules related to a particular purpose,” (ISO 19101-2:2018) reflecting the management intents.
A policy is “a statement of objectives, rules, practices or regulations governing the activities of people within a certain context.” (NISTIR 4734)
Program and Issue-Specific Policy
- A program policy is a high-level document created to direct and initiate an organization’s program.
- Issue-specific policies are developed to address areas of current relevance and concern to an organization.
Information Security Program Policy
Program policy is used to create an organization’s information security program. Program policies set the strategic direction for security and assign resources for its implementation within the organization. A management official—typically the SISO—issues program policy to establish or restructure the organization’s information security program.
This high-level policy defines the purpose of the program and its scope within the organization, addresses compliance issues, and assigns responsibility to the information security organization for direct program implementation as well as other related responsibilities.
Source: NIST SP 800-12 R1
A. 計畫管理計晝(program management plan)
C. 計畫政策(program policy)
D. 商業案例(business case)