ABSTRACT
Information security governance defines the roles and expectations of the management levels and nonmanagement levels alike so that each party understands what it is responsible for. A variety of laws and regulations have surfaced over the past decade in an attempt to strengthen the security of information stored within the companies to which the information assets are entrusted. Since laws and regulations are intentionally developed at a higher “what needs to happen” level versus the “how to secure the information” level, the standards and control frameworks become valuable tools to ensure that security is planned, organized, implemented, tested, and monitored. The three components of governance, risk, and compliance are necessary for adequate security controls. It is also important to recognize that the information security governance program leverages the laws, regulations, frameworks, and standards from multiple places and may have to simultaneously be compliant with multiple laws and regulations.
