Governing for enterprise security means viewing adequate security as a
non-negotiable requirement of being in business. If an
organizationís management does not establish and reinforce the
business need for effective enterprise security, the organization's
desired state of security will not be articulated, achieved, or
sustained. To achieve a sustainable capability, organizations must
make enterprise security the responsibility of leaders at a governance
level, not of other organizational roles that lack the authority,
accountability, and resources to act and enforce compliance. More . . .
The technical report Governing for Enterprise Security provides
background by examining governance thinking, principles, and
approaches and applying them to the subject of enterprise security.
Governing for Enterprise Security Implementation Guide
The articles in this implementation guide are geared for senior leaders, including those who serve on boards of directors or the equivalent. Throughout the implementation guide, we describe the elements of an enterprise security program (ESP) and suggest how leaders can oversee, direct, and control it, and thereby exercise appropriate governance. Read more about this guide.
The series of articles in this implementation guide begins with the article Characteristics of Effective Security Governance. This article first presents several key definitions for enterprise governance, IT governance, and security governance. It compares and contrasts both effective and ineffective security governance actions and then describes ten key challenges that leaders need to anticipate and address.
A complete version of the Governing for Enterprise Security Implementation Guide is available as SEI Technical Note CMU/SEI-2007-TN-020.