Information security program

Definition
The Federal Information Security Management Act of 2002 provides that:


 * Each agency shall develop, document, and implement an agencywide information security program, approved by the Director under section 3543(a)(5), to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source, that includes &mdash;
 * (1) periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency;
 * (2) policies and procedures that &mdash;
 * (A) are based on the risk assessments required by paragraph (1);
 * (B) cost-effectively reduce information security risks to an acceptable level;
 * (C) ensure that information security is addressed throughout the life cycle of each agency information system; and
 * (D) ensure compliance with &mdash;
 * (i) the requirements of this subchapter;
 * (ii) policies and procedures as may be prescribed by the Director, and information security standards promulgated under section 11331 of title 40;
 * (iii) minimally acceptable system configuration requirements, as determined by the agency; and
 * (iv) any other applicable requirements, including standards and guidelines for national security systems issued in accordance with law and as directed by the President;
 * (3) subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems, as appropriate;
 * (4) security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of &mdash;
 * (A) information security risks associated with their activities; and
 * (B) their responsibilities in complying with agency policies and procedures designed to reduce these risks;
 * (5) periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency depending on risk, but no less than annually, of which such testing &mdash;
 * (A) shall include testing of management, operational, and technical controls of every information system identified in the inventory required under section 3505(c); and
 * (B) may include testing relied on in a evaluation under section 3545;
 * (6) a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency;
 * (7) procedures for detecting, reporting, and responding to security incidents, consistent with standards and guidelines issued pursuant to section 3546(b), including &mdash;
 * (A) mitigating risks associated with such incidents before substantial damage is done;
 * (B) notifying and consulting with the Federal information security incident center referred to in section 3546; and
 * (C) notifying and consulting with, as appropriate &mdash;
 * (i) law enforcement agencies and relevant Offices of Inspector General;
 * (ii) an office designated by the President for any incident involving a national security system; and
 * (iii) any other agency or office, in accordance with law or as directed by the President; and
 * (8) plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.