IV     Information Security Program Effectiveness

The information security program should be subject to periodic review to ensure continual improvement in the program's effectiveness. The review should address the program in the context of the environment in which the program now operates, both within the institution and outside. Lessons learned from experience, audit findings, and other indicators of opportunities for improvement should be identified and the program changed as appropriate.


Previous Section
III.D Incident Response
Next Section
IV.A Assurance and Testing