The purpose of planning is to ensure the confidentiality, integrity, and availability of data, define, develop, and document the information policies and procedures that support your business goals and objectives, and to allow the your business to satisfy its legal and ethical responsibilities with regard to its IT resources.
Information security policies and procedures represent the foundation for the use of your business IT resources. Information security policies serve as overarching guidelines for the use, management, and implementation of information security throughout your business.
Internal controls provide a system of checks and balances intended to identify irregularities, prevent waste, fraud and abuse from occurring, and assist in resolving discrepancies that are accidentally introduced in the operations of the business. When consistently applied throughout the infrastructure, these policies and procedures assure that the information assets are protected from a range of threats in order to ensure business continuity and maximize the return on investments of business interests.
This plan reflects your commitment to stewardship of sensitive personal information and critical business information, in acknowledgement of the many threats to information security and the importance of protecting the privacy of your resources, safeguarding vital business information, and fulfilling legal obligations. This plan should be reviewed and updated at least once a year or when the environment changes.