ABSTRACT
Increased corporate governance requirements have caused companies to examine their internal control
structures closely to ensure that controls are in place and operating effectively. Organizations are
increasingly competing in the global marketplace, which is governed by multiple laws and supported by
various “best practices guidelines” (i.e., ITIL, ISO17799, COSO, COBIT). Appropriate information
technology (IT) investment decisions must be made that are in alignment with the mission of the
business. IT is no longer a back-office accounting function in most businesses, but rather is a core
operational necessity to business, and it must have the proper visibility to the board of directors and
management. This dependence on IT mandates ensuring the proper alignment and understanding of
risks to the business. Substantial investments are made in these technologies, which must be
appropriately managed. Company reputations are at risk from insecure systems, and trust in IT
systems needs to be demonstrated to all parties involved, including shareholders, employees, business
partners, and consumers. Information security governance provides mechanisms for the board of
directors and management to have the proper oversight to manage the risks to the enterprise and keep
them at an acceptable level.