¶ … security and governance program is "a set of responsibilities and practices that is the responsibility of the Board and the senior executives." This is the procedures by which the company ensures information security in the organization. The program consists of desired outcomes, knowledge of the information assets, and process integration (ITGI, 2013). Security of information is important because of the value of information, especially proprietary, in today's business world. The biggest differentiator between governance and IT security is that the latter is about the physical constructs of the IT program but governance incorporates everything include spoken communication so any form of information creation or handling. The first thing is the desired outcomes. The company has to know what it wants to accomplish with this program. Ideally there is alignment between the information security strategy and the organization's overall strategy. There should be risk management, so understanding the different risk and then taking steps to mitigate them. Performance management allows for the program to be evaluated, so that needs to be built into the program as well.

Thus, the ITGI recommends that the first step is to put information security on the Board's agenda. This is because leadership on this issue has to come from the top, with investments and visible support. The security leaders need to know their roles with respect to information security. The ITGI recommends that there is a committee to take charge of the project and the Board is able to measure and review organizational performance on this key issue. One of the things that makes governance programs work is when, culturally and structurally, having adequate security is viewed as a non-negotiable requirement of being in business (ITGI, 2013).

What is important is that there is an overarching security plan and process. The ITGI notes that in many organizations the security function become compartmentalized but that organization can improve their security by focusing on organization-wide integration of the security program. This will ensure that the organization has a consistent level of performance and that it has consistent measures to evaluate the security of the organizations information.

The objectives for the program should include the following: that information is available and usable when required, that systems are resistant to attacks, that information is only viable to those who need to know, it cannot be modified by unauthorized parties, and that exchanges between enterprise can occur if needed. The CIO needs specifically to develop the procedures and measures for the system, including the roles and responsibilities, and that there is also a training program that can be used with this organization to ensure that governance and security is something that the entire organization is focused on.

2.

Ran what down throats? Don't be stupid. If you want to learn about the company you're running, just ask like a civilized human being. Leave the offensive crap at the door when you talk to me. EISP is enterprise information security policy and IISP is issue-specific security policy. I briefed you on these when we implemented them last month, and you gave your approval. Let's go over it again.

Enterprise information security policy is the security policy that covers the entire organization. It's how we do things. The architecture of our information security is what comes out of that policy, because it reflects who we protect our information. Issue-specific security is just that, it covers specific issues that might arise. When those issues are unique, we sometimes have to do security a little differently, usually by adding onto the EISP.

IISP covers a lot of different things. It can encompass e-mail security or Internet security for example. So where EISP is the basic goals, objectives, software and processes that drives security for the whole company, IISP represents the specific policies for given issues. Where EISP is something we have set and will revisit occasionally, IISP are policies that need to be more flexible, evolving to meet our security needs as they change. So IISP is a lot of what the IT security people do. That's what the people in the organization see the most because we have been training people on ways to keep our information secure, so we do not lose our competitive advantage by having sensitivity information in the broader world. We are teaching people...

The performance of the company depends on the information we have so when that gets compromised we all lose. We're trying to protect the company's most important assets.
3. I would ask how he knew I was thinking about information security. That was pretty smart of him to read my mind like that. But yes, there are two things in particular that apply to the whole organization. The first is leadership and the second is the role that other offices play in implementing IS.

On the first, when we develop and implement and information security strategy, we will need suppose, both resource and vocal, from the C-suite. Information security has to be part of the organization culture, because information governance relates to all forms of communication, from all people. It is specially what goes on outside the confines of the IT department. So the entire organization needs to have guidance on information security in order to minimize the number of potential vulnerable points that the organization has.

The second is that the other offices all play a critical role in implementing information security. They should -- they are among the most vulnerable since they actually have sensitive information and are visible targets for things like industrial espionage. The C-suite people must not only lend resource and moral support, but they have to be trained in all aspects of information governance in particular. This is necessary so that the entire elongation has a strong culture of information security, understanding the risks and how to mitigate those risks. It is important as well that these individuals in particular do not become part of the problem. The COO is exactly somebody we need to work with closely on IT security and governance, so what needs to be conveyed the most at this point is that security is critical and that the COO needs to sit down with us in the next few days and we'll go over what we need from operations, especially in terms of the procedures and measures that are part of the information governance program. I would also want to impress upon the rest of the C-suit that they all play key roles in governance as well, and I will be meeting with all of them in the coming weeks to discuss how they are going to help improve the quality of information governance in this organization.

4.

Servers crash. So the big thing we need to do is to ensure that the servers are secure and that there is more than one server. I back up important personal information three ways, so the organization should have a standard like that as well. SO this is two issues -- multiple servers and added server security. Multiple servers is a critical issue, so that where there I a key server that we work with, that there is another backup server in a different location that we are also storing information on. This gives us a hedge against hardware failure.

Location is the other issue. No secure operation has all of its data in one place. It is important that the locations of are data are secure. There's a few keys to that. Obviously if it is going to be in zone that is susceptible to natural disasters that the facility it needs to be built to withstand catastrophe. There are earthquake specs in areas where quakes are a risk. If you're in a hurricane zone, the building needs to withstand the winds and the storm surge both. It can be more difficult to protect against a tornado but concrete bunkers work. The building needs to be able to withstand whatever that part of the country is going to throw at it. That includes fires -- we need more security than usually against fires because obviously water damage is just as bad as fire damage. Server-specific facilities are usually better in terms of their prevention -- you can't just run this out of a storage unit. IT has to be built for housing data.

So the best way to handle the issue is just to make sure that there are two or three servers with the same information so that the loss of a single server does not take down the whole company, and that all servers are located in a safe facility that is unlikely to be damaged or disrupted by natural disasters or even fire. Knowing the risks is critical to ensuring that problems do not occur,…