Overview

Information is an essential (Company name) asset and is vitally important to our business operations and delivery of services. (Company name) must ensure that its information assets are protected in a manner that is cost-effective and that reduces the risk of unauthorized information disclosure, modification, or destruction, whether accidental or intentional.

The Information Security Program will adopt a risk management approach to Information Security. The risk management approach requires the identification, assessment, and appropriate mitigation of vulnerabilities and threats that can adversely impact (Company name)’s information assets.

This Information Security Program Charter serves as the "capstone" document for an Information Security Program.

1. Scope

This Information Security Program Charter and associated policies, standards, guidelines, and procedures apply to all employees, contractors, part-time and temporary workers, and those employed by others to perform work on (Company name) premises or who have been granted access to (Company name) information or systems.

2. Information Security Program Mission Statement

(Company name) Information Security Program will use a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures that address security objectives in tandem with business and operational considerations.

The Information Security Program will develop policies to define protection and management objectives for information assets. The Information Security Program will also define acceptable use of (Company name) information assets.

The Information Security Program will attempt to reduce vulnerabilities by developing policies to monitor, identify, assess, prioritize, and manage vulnerabilities and threats. The management activities will support organizational objectives for mitigating, responding to and recovering from identified vulnerabilities and threats.

The Information Security Program will ensure that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood by establishing a Security Awareness Program to educate and train the individuals, groups, and partners covered by the scope of this Charter.

3. Ownership and Responsibilities

The Chief Executive Officer (CEO) approves (Company name)’s Information Security Program Charter. The Information Security Program Charter assigns executive ownership of and accountability for (Company name) Information Security Program to the Chief Technology Officer (CTO). The CTO must approve Information Security policies.

The CTO will appoint a Chief Security Officer (CSO) to implement and manage the Information Security Program across (Company name). The CSO is responsible for the development of (Company name) Information Security policies, standards and guidelines, including PCI compliance. The CSO must approve Information Security standards and guidelines, and ensure their consistency with approved Information Security policies. The CSO also will establish an Information Security Awareness Program to ensure that the Information Security Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood across (Company name).

The Chief Security Officer (CSO) will establish a list of "Dependent Site Coordinators". The senior business or technical employee of each remote site or partner will be designated the Dependent Site Security Coordinator unless that person designates someone else. The role of the Dependent Site Security Coordinator includes submitting security requests, reviewing authorization reports, and being the main point of contact between the site/partner and (Company name)'s CSO.

(Company name)'s CSO is accountable for the execution of (Company name) Information Security Program and ensuring that the Information Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated and understood among (Company name) sites, employees, and partners.

All individuals, groups, or organizations identified in the scope of this Charter are responsible for familiarizing themselves with (Company name) Information Security Program Charter and complying with its associated policies.

4. Enforcement and Exception Handling

Failure to comply with (Company name) Information Security policies, standards, guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to (Company name) Information Security policies, standards, and guidelines should be made on the Request for Exceptions to Information Technology Standards & Policy form and submitted to the CSO. Exceptions shall be permitted only on receipt of written approval from the CSO or appropriate (Company name) executive.

5. Review and Revision

(Company name) Information Security policies, standards, and guidelines shall be reviewed under the supervision of the CSO, at least annually or upon significant changes to the operating or business environment, to assess their adequacy and appropriateness.

Approved

Signature

___________________________________________________

Print the following details using capital letters:

Name

___________________________________________________

Title

___________________________________________________

Date (MM/DD/YYYY)

___________________________________________________