Information Security Program Development

Goals and End State

Our goals are to:

  • Implement policies and procedures to protect your valuable information assets from unauthorized disclosure, tampering, corruption, or loss due to malicious acts, user error, or hardware/software failures.
  • Improve the resilience of your information technology and communications systems to minimize outages and downtime
  • Where feasible, eliminate the possibility that an outage may exceed the maximum allowable downtime as specified by management.

If your businesses has never implemented Information Security, the process will most likely alert you to routine information disclosure you were not aware of. Addressing this will immediately enhance the value of your information assets. The Information Security Program will also decrease incidence of other types of information security breaches, such as corruption and deletion of data or system unavailability, which will reduce the resultant loss of revenue, opportunities, and reputation.

By developing the program in an analytical manner using business objectives and risk assessments, the value of the benefits will exceed the investments and costs of implementation, making the program a profitable endeavor.


The Information Security program applies to:

  • Non-technical management of information assets;
  • Routine operations of your information technology and communication systems; and
  • Integration of security during the software planning and development process to eliminate technological vulnerabilities that could lead to data breaches (if your company develops proprietary or in-house software)


Depending on the level of formality appropriate for your business size, culture, and value of information assets at risk, we will produce the following valuable intangible assets:

  • Enterprise Risk Management Program Charter and Policy
  • Information Security Program Charter
  • Information Security Management Strategy
  • Risk Management Plan for Information Security
  • Threat Modeling Chart and Business Impact Analysis
  • Vulnerability Management Program
  • Risk Assessment Chart for Information Security, including Risk Controls Register and Metrics
  • Information Security Policy
  • Register of Information Security Roles and Responsibilities
  • Data Classification Scheme and Data Permissions Register
  • Compliance Management Procedures
  • Incident Response Policy and Plans
  • Incident Monitoring and Alerts Register
  • Disaster Recovery Plan
  • User and Partner Training/Awareness Plans
  • Information Security Program Performance Assessment Plan

Additional Notes

Implementation of an Information Security Program requires support and input from top-level management in order to align this program with your company's business objectives, risk tolerance thresholds, and other business systems in place (such as service/product delivery, human resources, and facilities management). J.D. Fox Exec will provide guidance at each relevant step in the process.

We will develop and implement your Information Security Program together as a project. At the end of the project, the Program will provide for Information Security on an ongoing basis. The Program itself will need to be regularly assessed for performance, reviewed, and updated. We will design the Program so that your company can manage this internally going forward; procedures and metrics will be included in the Peformance Assessment Plan. Or, you may choose to engage J.D. Fox Exec periodically to assist with reviews, assessments, and modifications to the Program.

If your company has neither an Information Security program or Business Continuity plan, developing both together will greatly improve efficiency and return on your investment, as there is significant overlap between the two processes.