CHAPTER THREE: INFORMATION SECURITY
               PROGRAM DEVELOPMENT AND MANAGEMENT




            Security Program Development

            The development of a security program is the implementation of
            the security strategy. As seen earlier, the security strategy is just
            an extension of the overall business strategy of the organization.
            The business needs to see that the implementation of security is
            aligned and integrated into the mission and goals of the
            company. Security is implemented for the sake of the company -
            to help the company meet its purpose - not just for the use of
            security and to "be secure."

            The security strategy must also be aligned with the other
            policies and operating procedures of the business, including
            human resources, finance, operations, legal, and lines of
            business.

            As businesses evolve and move into new lines of business -
            perhaps outsourcing, cloud, and mobile computing, so also must
            the security program adjust and support those developments.
            Security must not be an anchor that continuously holds the
            business back and prevents growth. Just as the company seeks to
            remain competitive, so also the security department must lead
            the way by developing standards and procedures that will enable
            the use of modern technology.