An information security program policy is a formal definition of the organisation's posture and approach to managing information-related risks. It defines the business requirements for initiating the security program and the goals to be achieved. The security program involves classifying information based on sensitivity and business impacts, defining information ownership, conducting risk assessments, and developing enterprise security policies to mitigate the risks identified. This service helps organisations implement comprehensive security programs that empower organisations to effectively manage their information risks.