Conduct an organizational review of the information security program, not a technical review.
Select an organization and conduct a critical review and evaluation of their information security program. The organization is of your choosing, but should be one that you have access to or can obtain access to. The focus of the critical review should be on Information Security Governance within the organization. The goal of this project is to conduct an organizational review of the information security program, not a technical review. Some of the suggested areas that you should focus on are as follows;
1. Describe how the organization has approached information security governance and its strategy.
2. Identify relevant regulations for information security in the organizations industry and how (if at all) they influenced the governance of the security program.
3. Review the organizationas information security governance model and framework. How is the program structured and managed?
4. How did the organization implement their program and what were the challenges? How were the challenges addressed?
5. How does the organization measure the success of their program?
6. What is working well within the organizations security program? Explain.
7. What is not working well within the organizations security program? Explain.
8. What recommendations would you suggest for improvement and what are the actionable items you would recommend?