The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

Based on what you have read, consider the following questions and how you would reply to them:

• Does your company have plans that can be considered to be strategic, tactical, or annual, for example, long-range, short-range plans?

• Have you read them?

• If not, how do you know you are providing adequate service and support to the company?

• Do you have strategic, tactical, and annual plans that support the company's business plans?

• If so, are they current?

• How do you know?

• Do you have a process in place to keep them current?

• If not, why not?

• If you do have such plans, do you have a process in place and flow-charted to show how the plans, your information and systems protection functions, projects, risk management strategy, cost-benefit philosophy, and such are integrated into your CIAPP that supports the company's plans?

• If not, why not?