This document discusses the requirements for an information systems security program (ISSP) according to National Futures Association regulatory rules. It outlines the five key areas an ISSP must address: 1) a written program, 2) security and risk analysis, 3) deployment of protective measures against threats, 4) response and recovery from electronic system threats, and 5) employee training. It provides details on what each area should entail and compliance questions organizations should consider to ensure their ISSP is comprehensive and follows all necessary protocols.