Create your own variant of both a hiring and a termination policy related to security and keeping company info secure. Solution Information Security management is a process of defining the security controls in order to protect the information assets. Security Program The first action of a management program to implement information security is to have a security program in place. Security Program Objectives: Protect the company and its assets. Manage Risks by Identifying assets, discovering threats and estimating the risk. Objects are- Information Classification, Security Organization, and Security Education. Security Management Responsibilities: Determining objectives, scope, policies,re expected to be accomplished from a security program. Evaluate business objectives, security risks, user productivity, and functionality requirements. Approaches to Build a Security Program Security Controls Security Controls can be classified into three categories- Administrative Controls, Technical or Logical Controls ,Physical Controls. The Elements of Security Vulnerability: Vulnerability characterizes the absence or weakness of a safeguard that could be exploited. Threat: Any potential danger to information or systems. A threat is a possibility that someone (person, s/w) would identify and exploit the vulnerability. Risk: Risk is the likelihood of a threat agent taking advantage of vulnerability and the corresponding business impact. Reducing vulnerability and/or threat reduces the risk. Exposure: An exposure is an instance of being exposed to losses from a threat agent. Vulnerability exposes an organization to possible damages. Countermeasure or Safeguard: It is an application or a s/w configuration or h/w or a procedure that mitigates the risk. The Relation Between the Security Elements Example: If a company has antivirus software but does not keep the virus signatures up-to-date, this is vulnerability. The company is vulnerable to virus attacks. The likelihood of a virus showing up in the environment and causing damage is the risk. .