Program Policy

Program policy is used to create an organization’s information security program.

Program policies set the strategic direction for security and assign resources for its implementation within the organization.

A management official—typically the CISO—issues program policy to establish or restructure the organization’s information security program. This high-level policy defines the purpose of the program and its scope within the organization, addresses compliance issues, and assigns responsibility to the information security organization for direct program implementation as well as other related responsibilities.

(Source: NIST SP 800-12)