Information Security Governance

Increased corporate governance requirements have caused companies to examine their internal control

structures closely to ensure that controls are in place and operating effectively. Organizations are

increasingly competing in the global marketplace, which is governed by multiple laws and supported by

various “best practices guidelines” (i.e., ITIL, ISO17799, COSO, COBIT). Appropriate information

technology (IT) investment decisions must be made that are in alignment with the mission of the

business. IT is no longer a back-office accounting function in most businesses, but rather is a core

operational necessity to business, and it must have the proper visibility to the board of directors and

management. This dependence on IT mandates ensuring the proper alignment and understanding of

risks to the business. Substantial investments are made in these technologies, which must be

appropriately managed. Company reputations are at risk from insecure systems, and trust in IT

systems needs to be demonstrated to all parties involved, including shareholders, employees, business

partners, and consumers. Information security governance provides mechanisms for the board of

directors and management to have the proper oversight to manage the risks to the enterprise and keep

them at an acceptable level.