The board of directors and business unit heads will be primarily involved at the strategic level, the CISO and the functional managers at the tactical level, and the security specialists at the operational level. A new business strategy or changes in the business model require an adjustment of controls at the operational level. The main objective is to mitigate risks within the framework of an IS program; their effectiveness is measured; they are the subject of reporting and oversight; and they protect the assets in accordance with the legal and regulatory framework. Operational measures or controls cannot be deployed without support from security strategy, policies, organization, and risk management and without a security program plan. To establish effective governance and management processes, managerial controls should be modeled or grouped into easily recognizable blocks. Governance-specific activities are often presented alongside operational practices in the standards, which makes them difficult for senior executives to read.