Sample Research Paper on Outline of an Information Security Program


Information security is an area that has gained more popularity, as each organization would like to ensure that its data is secure from any external or unauthorized internal access.  Lack of computer security may make some individual leave their work places (Thorton Consulting, 1996) This makes an organization to develop a comprehensive and elaborate information security program (SANS Institute, 2003). This program has many faces also called facets that link to each producing a unified whole system.

Facets for information security program
Security laws and regulations

Before an organization designs its own information security program it has to take into consideration of the laws and regulations that exist. These regulations would also ensure that systems are designed to the acceptable standards, protection of propriety information and copyright data.

Security standards and best practices

In everything that one does there is always the best and acceptable practices that are accepted. This must be well elaborated in a security system; the standards would also be in place to protect the organization’s security assets (SANS Institute, 2003).These elements include ensuring that data or information is available when required, the system being responsive and reliable and confidentiality of such data.  Among the various information security issues, information availability, reliability and confidentiality are most important (Campeau and Higgins, 1995)

Organization’s supporting programs

For an information system to be effective it must be supported by a variety of programs. This will ensure that modules and components completely link to each other and that there are available procedures and activities to be followed in each. These will highlight on the policies and procedures to be undertaken in accessing and using data, recovery measures for data loss and all the configurations for user and data elements.

Certification and accreditations

This is the facetthat seeks to establish whether a security system is to the acceptable standards. It is done by an external individual who comes and runs several tests to establish on the threats, vulnerabilities, strengths and weaknesses of such a system then providing vital recommendations.

Supporting programs within an information security program

Security policies that will outline the tasks and responsibilities of individuals in an organization. This will follow the organization chart of the organization and will outline what is expected of each. This must be included as it will differentiate the organization personnel into groups witheach being able to do certain things in the system (SANS Institute, 2003).

The physical security that will outlineon how to protect the physical components or assets of the organization (SANS Institute, 2003).  These would include having lock and key systems, audit trails of those who accessed the systems. This must be included as it will assist in protecting the assets from any physical attack whether deliberate or accidental.

Personnel security provides information security measures based on the sensitivity of the information or data in question. In organizations, there are specific people allowed to access certain data. This should be included as it will protect propriety or sensitive information of the organization by having only few people to access them.

System and data identification that elaborates on what would comprise a complete system. This program will also identify the kind of data or information and how it is vulnerable. It should be included as it will allow the organization to establish and identify the cost of running a system and also identification of data and information that are vulnerable for attack and the cost of losing such data.

Incident response program that responds to any act of access, this is the program that will allow the access of a system so long as certain actions or demands are fulfilled. This program should be included as will allow systems to be responsive to the expectations of the organization, one will access data because the system has allowed.

System security plan will outline the general structures of the organization based on rights, privileges and responsibilities ofeach individual. This should be included as it will provide controls on the systems; individual actions will be controlled by the system.

System development lifecycle that provides information on how a system was initiated, designed and implemented (SANS Institute, 2003). This should be included as it will assist in maintenance of the system as it will highlight on various items to take into consideration about the life of the system.

Configuration management helps support systems and so should be included as it provides order in document access and users rights.

Training and awareness program highlights on the usage of the system and what each must know. This should be included as it will help educate users and inform them of the likely events that are considered threats and how they can respond in case a threat occurs.

System documentation will provide user guides on using the systems and all relevant data of the system (SANS Institute, 2003). Should be included as it will assist the users use the system and also recovery of the system in case of failure, this is because documentation provides design codes used to program the system.

Disaster recovery that highlights on recovery measures to be followed in case of an attack or failure. This should be included, as it will allow recovery of lost data or information and bringing back the system to normalcy


Campeau and Higgins (1995) Computer self efficacy: development of a measure

and initial test.MIS Quarterly. 19: 12.

SANS Institute. (2003). The many facets of an information security program. Practical

Assignment Version 1.4b

Thorton Consulting. (1996) Thorton consulting online banking: a success. Australian

Banking and Finance.vol. 5.