Part of any solid project / program management effort is a program charter that defines the program in order to ensure its success. Too many times projects begin without a clear definition of success and as a result it becomes very difficult to measure success or often even to make progress on the project in any way. Information security programs are no exception.
In order to have a successful information assurance program, organizations need to take the first step of creating a charter for the information assurance team. The benefit of these charters is that they should function in the same way as any other program charter. Because of that we have a solid body of knowledge available to us as to what elements should exist in a mature program charter.
Elements of a mature information security program charter should include:
- Name / Title
- Start and end date / timeline
- Approval authorities / executive sponsorship
- Team leadership / management
- Key players / stakeholders
- Business case / purpose / regulatory requirements
- Problem statement or opportunity
- Business benefits
- Measurable performance outcome / metrics
- Scope of work
- Key milestones
- Roles and responsibilities
- Manpower and budget requirements
- Barriers to success and risks
- Communication plan
If you haven’t taken the time to define a program charter for your security team, why not start now. Not only will this process help to define the goals of your effort, but it can focus your team’s efforts and align executives with the team’s efforts.