The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

Evaluations and analyses of the entire CIAPP and InfoSec organization help maintain a proactive and current protected-information environment. The ISSO should remember the following points:

• It is a good idea to evaluate the entire CIAPP and InfoSec functions on an annual basis.

• The evaluation should include all projects and LOEs.

• Changes should be made where value is added in terms of cost decreases, productivity gains, or time savings.

• Executive management should receive a clear, concise, business-oriented briefing on the state of the CIAPP and IWC's current protected information environment on at least an annual basis.

• Metrics charts should be evaluated at least annually, then eliminated or modified as necessary.

• Link analysis methodologies are useful in determining the success of an InfoSec Program.