Information Security Charter

Introduction: How to Use This Template

A charter is an essential document for defining the scope and purpose of a security project or program. Without a
charter to control and set clear objectives for the committee, the responsibility of security governance initiatives
will likely be undefined within the enterprise, preventing the security governance program from operating
efficiently.

To use this template, simply customize any text below in dark grey to fit the needs of your enterprise. Be sure to
remove all introductory text in dark grey and convert the remaining text to black prior to distribution. Also, replace
the header and footer with your enterprise’s information.

This document is intended for use as guidance and should be used in accordance with your enterprise’s legal and
compliance environment.

Security Vision
The purpose of documenting the security program’s vision is to ensure that the development and management of
your security policies meet the broader program vision.
It should be a concise statement that reflects your center, department, or committee’s overall goal, security-wise,
within the broader organization. The vision statement should answer the question “what will happen as a result of
what we do?”
Example: Info-Tech Holdings will be the group of companies that offers its employees and its clients a safe and
secure environment where data security is not a concern while fostering and not limiting innovation.

Security Mission
The purpose of documenting the security mission is to ensure that your suite of security policies is meeting the
entire security program’s mission.

It should be a concise statement that describes what will be delivered, offered, or achieved by your committee.
The mission answers the question “what do we do?” It defines the purpose and scope of the committee.

Example: To deliver a comprehensive suite of IT and information security governance and operations functions
on behalf of Info-Tech Holdings.

Security Scope
The purpose of documenting the charter’s scope is to define how far-reaching the charter is and what
departments must comply with it.
Edit the chart below to set an appropriate scope for your organization’s charter.
Organization (Business Technology
Physical Location(s) Data
Units/Processes) (IT Systems)

1
Info-Tech Research Group
 Applications
 Category management  Head office Toronto  Product database
 Replenishment  Satellite office New  Accounting  ERP
 New business York information  Replenishment
development (includes  300 stores across  Sales data  Budget planning
marketing, real estate) Canada  Email  EDI
 Operations (store  150 stores across  HR
Backend
management) US and Caribbean  Financials
 Corporate planning  Data center (tape  Shared server  AD
 Accounting (including backup, offsite)  Common drive  Exchange
loss prevention)  SharePoint  SharePoint
 Treasury  MS Link
 Human Resources  FTP
 IT  EFT
 Design and
Network
construction
 MPLS (includes
DSL)
 VPN (direct access)

Strategic Security and Policy Objectives

As a starting point, use the charts below to align your security program and policy objectives.
1. Document a list of known business strategy goals.
If business strategic goals are unknown, consider the answers to the following questions:
a) Does the organization have any upcoming expansion plans (e.g. new markets, products, M&As)?
b) What requests, complaints, or comments does the business most frequently have for IT/Security?
c) Based on your industry position, how aggressively will your organization be adopting new
technologies?
2. Identify security program objectives that align with business strategic goals.

Example:

Business Strategic Goal #1: Risk mitigation and asset protection

Information Security Objectives

 Adopt a risk-based approach to ensure that information security risks are treated in a consistent and
effective manner.
 Mitigate information security risk to a manageable level that is accepted by the board.
 Move from a reactive response model to a predictive model to identify risks before potential impact.

Business Strategic Goal #2: Provide customers with the highest level of service

Information Security Objectives

 Protect and prevent information (e.g. customer data) from unauthorized uses or disclosures.

2
Info-Tech Research Group
 Ensure that information security is integrated into essential business activities.
 Prioritize information security resources to protect the business applications where an information security
incident would have the greatest impact.

Business Strategic Goal #3: Maintain compliance obligations

Information Security Objectives

 Meet legislative requirements, regulatory requirements, and audit recommendations.

 Monitor and validate regulatory compliance.

Business Strategic Goal #4: Meet the operating needs of the organization in a secure manner

Information Security Objectives

 Safeguard data at rest, in transit, and in use across on-premises and hosted systems.
 Safeguard the confidentiality, integrity, and availability of the network, systems, and applications to the
levels required by the business.

Business Strategic Goal #5: Provide training and awareness to end users

Information Security Objectives

 Ensure that end-user training and awareness occurs regularly, takes a variety of forms, and spans various
lengths of time.
 Test end users regularly to verify that training is effective.
 Foster a security-positive culture that influences the behavior of end users to reduce the likelihood of
information security incidents occurring and limit their potential business impact.

Roles and Responsibilities for Developing the Security Program

Define the roles and responsibilities for your organization’s security team. Be sure to account for any special
needs your organization has for any of these roles.

Example:
CISO
Description Responsibilities

A CISO is a high-level 1. Protect information assets

management position  Collaborate with and support other departments from an information
responsible for the entire security perspective.
information security  Adhere to privacy legislation.
department and staff.  Implement security controls and solutions according to security
governance requirements such as:
o Auditing

3
Info-Tech Research Group
 o Development of policies and procedures
o Security architecture design
2. Approve security policies
 Communicate business obligations and goals to support individuals
developing policies.
3. Develop security strategy and governance framework
 In conjunction with business leaders, align the security objectives with
business goals to ensure security is a business enabler.

4. Compile threat intelligence reports

 Write high-level summaries describing actual or potential attacks
against the organization for executive review.

5. Approve security budget and resource requests

 Review spending requests and make decisions based on organizational
need and overall efficacy of the requested purchase for improving the
organization’s security posture.

Information Security Risk Officer

Description Responsibilities

An information security risk 1. Identify risks associated with protecting information assets
officer consults, coordinates,
and partners with Legal and  Collaborate with and support departments from an information security
relevant stakeholders to perspective.
develop enterprise-level  Monitor compliance with policies.
information security  Ensure privacy legislation is being adhered to.
compliance policies. Primary
 Implement security controls and solutions according to security
concerns include risk
governance requirements such as:
identification, management,
o Auditing
and mitigation processes as
o Development of policies and procedures
well as monitoring and
tracking audit findings across
the organization. 2. Align information security policies to enterprise policies

 Create continuity between information security policies, IT policies, and

enterprise-level policies.

3. Help business leaders set appropriate risk tolerance

 Set a risk tolerance level that protects information assets and enables
business operations to run as smoothly as possible.
 Conduct threat and risk assessments as necessary and review the
results.
4. Review, manage, and update risk-related processes, controls, and
supporting documents
 Ensure that the information security governance framework and
strategy align with organization’s general risk governance program.
5. Maintain risk register

4
Info-Tech Research Group
  Track and record information security risks, detailing if the risk is
accepted, not accepted, mitigated, or transferred.
6. Risk identification
 Identify, assess, and monitor risks to information security and propose
mitigation strategies.
 Evaluate the inherent risk of identified threats and calculate the residual
risk after mitigation technique(s) have been implemented.

Cross-Platform Security Architect

Description Responsibilities

The cross-platform security 1. Design security systems to protect IT infrastructure proactively

architect role focuses on the  Assess IT environment for vulnerabilities and work to close them to
development and review of improve organization’s information security posture.
information security systems
and policies to support the 2. Design security systems to remediate exploited vulnerabilities
maintenance of these security  Contribute to incident response effort by designing solutions to security
systems across platforms. vulnerabilities used by attackers.
The success of this position is 3. Develop security systems that enable business functions
greatly dependent on the  Ensure that information security is not so restrictive as to interfere with
individual’s ability to create the needs of business leaders.
and maintain relationships  Manage business risks rather than try to eliminate them entirely (e.g.
with programmers, risk promote a security-positive culture without shutting down all possible
assessment staff, auditors, risks).
and the broader security
department. 4. Develop information security policies
 Gain an understanding of the functional requirements necessary for
each security policy.
 Collaborate with individuals across the security department.
 Review compliance requirements for security policies and update
annually.
 Ensure that policies capture the current and developing security
controls.

Security Analyst
Description Responsibilities

A security analyst’s role 1. Maintain and ensure execution of security operational standards, such
focuses on implementing as:
security measures.
 System hardening
 Patching
 Provisioning and deprovisioning of systems and access
 Decommissioning of technical assets
 Manage security devices (internal & external): configure, update, and
tune.
2. Know what is happening in the environment: real-time security
monitoring/detection
 Monitor the organization’s IT systems and end users’ activities from an
information security perspective.
 Correlate and analyze logs to detect potential information security

5
Info-Tech Research Group
 breaches, and perform other activities needed to support the threat
intelligence program.
3. Know what actions need to be taken based on this information:
 Security incident management
 Security problem management
 Reporting
 Auditing response
 Forensics
4. Deploy and maintain proactive security measures, such as:
 Antivirus
 Firewalls
 Encryption
5. Contribute to incident reports
 Work with the incident response team by providing necessary details
of security incidents.
6. Conduct penetration and security awareness testing
 Test the strength of organization’s security via common attack
techniques.
 Test end-user awareness through mock phishing emails and other
appropriate techniques.

Executive Team
Description Responsibilities

The executive team 1. Convey business needs

contributes to discussions  Ensures that the security team understands why certain procedures
around risk tolerance and are necessary and why such risks can be tolerated.
communicates business
needs to the security leaders. 2. Define risk tolerance

 Work with the security department to set an appropriate risk tolerance

by aligning business goals and security objectives.

3. Review threat landscape briefings

 Responsible for maintaining a functional understanding of possible

security threats to make informed decisions about the organization’s
overall security program.
4. Maintain a basic understanding of security protocols used, such as:
 Encryption
 Firewalls
 Disk segmentation

 Patching
5. Addressing the public after a severe security incident
 Responsible for media appearances following particularly serious
security incidents affecting external stakeholders (e.g. cases in which a
PR specialist alone would be insufficient).

6
Info-Tech Research Group
 End Users
Description Responsibilities

End users include anyone 1. Comply with information security policies

outside of the policies  Responsible for reading, signing, and adhering to the policies outlined
committee and/or security, by information security and the broader IT organization.
who provide business or
support functions. 2. Report known or suspected issues that may affect organizational
security
 [Manager] should be notified without undue delay of any security
issues encountered by end users.
 Exercise caution when downloading or transferring data online.
3. Participate in training and awareness activities
 Responsible for attending training sessions and completing
assignments as well as participating in testing exercises designed by
the CISO, which may be conducted without the end user’s knowledge.

Governing Regulations and Other Requirements (optional)

Use this section to list any regulations your organization is subject to and that may affect the development of your
security program.

Example:
 GDPR
 PCI DSS

Standards and Certifications (optional)

Use this section to note any standards your industry uses and need to be observed when developing your
security program.

Example:
 ISO 27001

Risk Tolerance Statement

Use this section to give a practical definition and explanation of your organization’s risk tolerance to help explain
what is and is not acceptable behavior and why.

Example:

[Organization] defines its risk tolerance as [moderate]. This means that we accept the risks within our industry
needed to conduct business. We use various controls to mitigate these necessary risks but do not impose
controls so strict that business operations are significantly impeded in the name of security. However, this position
should not be misunderstood as one of laxness. [Organization] takes organizational security very seriously and
expects all employees to respect the security controls established through our governance framework and overall
security strategy.

Corporate and Management Commitment

Document commitment from senior management, the board, and any other senior leadership positions here.
Include specifics on which roles are providing support, what their responsibilities are in supporting the security

7
Info-Tech Research Group
program (e.g. review security strategies, communicate security issues to public investors), and how they are
being tracked on their commitment levels.

Example:
The Board of Directors (“the Board”) is ultimately accountable for corporate governance, which includes
information security as an integral part of it. The Board is committed to ensuring security controls are protecting
and securing all organizational systems and any sensitive, valuable, or confidential data. The Board will review
security strategies and budget requests as an agenda item for each Board meeting.

Board Sign-Off:
Have your board members add their name and title below, then sign and date the lines provided.

[Name, title] _________________________________________________ Date: ____________

[Name, title] _________________________________________________ Date: ____________

[Name, title] _________________________________________________ Date: ____________

[Name, title] _________________________________________________ Date: ____________

[Add lines as needed]

Evaluation and Renewal Requirements

The Information Security Charter shall be evaluated and renewed as necessary on a periodic basis and due to
environmental changes occurring.

The Charter shall be reviewed at least every:

 12 months
And shall be reviewed by:
 The CISO, CIO, and the information security steering committee

The Charter shall be evaluated when major organizational or environmental changes occur. Such changes may
result in the need to update or otherwise change the existing version of the Charter, which will be done after the
evaluation process is complete.

Organizational and environmental changes resulting in Charter review and evaluation include but are not limited
to:
 New CISO, CIO, or CEO
 Change in regulatory or legal environment
 Dramatic changes om end-user behavior
 Change in organizational goals
 Change in organizational operating environment

Revision History
Version Change Author Date of Change

8
Info-Tech Research Group
 _____________________________________________________

For acceptable use of this template, refer to Info-Tech's Terms of Use. These documents are intended to supply
general information only, not specific professional or personal advice, and are not intended to be used as a
substitute for any kind of professional advice. Use this document either in whole or in part as a basis and guide for
document creation. To customize this document with corporate marks and titles, simply replace the Info-Tech
information in the Header and Footer fields of this document.

9
Info-Tech Research Group