# Infosec Programs

1. Policies and procedures: Required as the basis to enforce IRM mandate.
   1. General procedures: Policies on acceptable use, electronic communication, web access, patching etc
   2. Platform configuration standards: Secure configurations for Unix, Windows etc.
   3. Control catalog
2. Awareness and training programs
3. Access controls and privilege management: all individuals and services are properly authenticated, authorized and audited.
4. Vulnerability management:
5. Patching
6. Vulnerability monitoring and response
7. Testing for vulnerabilities: Network penetration testing, web application testing, and code analysis
8. Threat management and incidence response
   1. SIEM and log analysis
   2. Threat intel feeds – monitoring and absorption
   3. Incidence handling and response
9. Risk assessments
10. New ventures
11. New code in the DMZ
12. All varieties of control exemptions
13. Compliance
14. Regulators
15. External auditors
16. SSAE16
17. Privacy and security
18. Tools and operations
    1. IDS/IPS
    2. Firewalls
    3. Proxies
    4. System log analysis tools
    5. Penetration testing tools, and web application testing tools
    6. Security data warehouse: for reports, risk dashboards and items to follow up on
    7. Workticket management tools
19. Board reporting
20. Business resilence