To ensure that you are developing a holistic business-aligned information security program, you need to take the time to establish an information security program strategy. You should establish clear and concise strategy goals that will help you in your future program planning.

Examples of strategic goals your organization can use include:

• Information security risk assessment: Provide for the periodic review of information security risks and implement appropriate responses
• Information security governance: Establish a governance function to provide information concerning information security assurance to management, assisting them in making decisions concerning risk
• Information security operations: Provide for proactive and reactive activities in response to penetration attempts
• Information security architecture: Support engineering and development teams in the secure development and implementation of information systems
• Information security awareness and training: Provide information on security awareness and training to personnel
• Information security guidance: Facilitate the protection of information systems and data by providing IT security policies, procedures, and supporting guidance

The information security program strategy statements that you develop should be used as a guide for any future project that you wish to implement in support of enterprise information security.