EXECUTIVE SUMMARY
The Sarbanes-Oxley Act of 2002 and other recent privacy legislation have created a number of unique and sometimes ambiguous control and protection requirements which companies must address. Each of these organizations is saddled with the issue of how to interpret and address the distinct requirements of each applicable piece of legislation while also addressing other regulatory or governing body requirements imposed.
To address the issue, organizations should consider implementing a comprehensive information security program to manage the controls, security and privacy of their information. By implementing a single program, the control environment will be more easily managed and provide a single source for identification and detail regarding specific controls.
The development and implementation of an information security program can be broken into five phases as defined below:
1. Define Requirements ? This phase involves researching applicable legislation and governance for specific requirements for control activities and privacy / security considerations.
2. Design the Program ? This phase involves designing a program framework that address the control activities and considerations identified in the first phase.
3. Build the Program ? The documentation of all policies, standards and procedures occurs during this phase.
4. Implement the Program ? This phase involves the actual implementation of components of the program in a prioritized manner.
5. Manage the Program ? This phase involves the ongoing management, direction, and sustainability of the program.
If appropriately planned, and implemented correct ...