The CISO, working with responsible units and offices, will evaluate and adjust the Information Security Program in light of the results of risk identification and assessment activities undertaken pursuant to the Program, testing and monitoring, as well as any material changes to operations or business arrangements, and any other circumstances which may reasonably have an impact on the Information Security Program. 

The CISO will prepare an annual report on the status of the Information Security Program and provide that to the CIO.  The CISO may prepare more frequent reports as necessary or requested.  These reports may include copies of any unit-specific security plans, current risk assessments for each unit with access to covered data, a statement on the controls in place to mitigate those risks and the effectiveness of those controls, summaries of monitoring activities, actions taken or to be taken to correct any security concerns identified through monitoring, and such other information as required to provide assurance that this Information Security Program is implemented and maintained.