ABSTRACT
The common method of building an information security program is to: review the laws and regulations that apply to the particular organization and determine which ones are pertinent; develop a gap analysis or assessment to determine which controls are missing; create an information security policy representing the required laws and regulations; and developing and implementing controls to satisfy the policy that has been developed. This chapter focuses on security incidents that have occurred over the past several years. Security governance failures at other organizations, as represented by their security incidents, and especially those that share the same vertical industry, size, revenue, and geographic characteristics can provide the incentive necessary to examine how the organization is ensuring that that same situation will not occur there. Policies in themselves may provide the protections once detected, however, without adequate technical controls, enforcement of the policies may be very difficult at best.
