The IT Law Wiki



A program policy is

a high-level policy that sets the overall tone of an organization's security approach.[1]
what management uses to create an organization's security program. It is high-level, comprehensive, and unlikely to need frequent updating.[2]


U.S. government[]

In a Federal agency, the formulation of program policy must proceed within the framework of existing laws, regulations, and Executive Branch policies, including the Computer Security Act of 1987; OMB Circular No. A-130, Management of Federal Resources, particularly OMB Circular No. A-130, Appendix III, Security of Federal Automated Information Resources; and PDD-63, Protecting America's Critical Infrastructures. It must also be guided by the agency's mission statement and organizational structure.

Program policy development and promulgation is the responsibility of senior management and should take place under the direction of the agency head or senior administration official responsible for the agency. The components of an adequate program policy include the following: