This guide is designed to help business leaders implement an effective
program to govern information technology (IT) and information
security. Our objective is to help you make well-informed decisions
about many important components of governing for enterprise security
(GES), such as adjusting organizational structure, designating roles
and responsibilities, allocating resources (including security
investments), managing risks, measuring results, and gauging the
adequacy of security audits and reviews. The intent in elevating
security to a governance-level concern is to foster attentive,
security-conscious leaders who are better positioned to protect an
organization's digital assets, its operations, its market position,
and its reputation.
Be forewarned—security is a relatively new area of governance for
most organizations. It can be complicated for newcomers to IT and
information security. Although the U.S. government has encouraged
executives to take a more active role, many still do not understand
that security requires action at the governance level. Based on
organizations' growing dependence on IT and IT-based controls,
information and IT security risks increasingly contribute to
operational and reputational risk. Leaders must understand the legal,
technical, managerial, and operational considerations that converge in
an enterprise security program (ESP). Reading short executive
summaries will not suffice. As with audit and compliance
responsibilities, boards and senior officers need to thoroughly
understand effective enterprise security governance and how to bring
it about. For instance, beyond comprehending organizational structure,
roles, and responsibilities, leaders need to understand the more
detailed responsibilities and tasks required to develop and operate a
sustainable security program. Tackling GES is complex, and requires
learning information and knowledge that is missing in many
The GES Implementation Guide provides such guidance. The articles move from a general introduction and overview to a detailed explanation of how to implement a governance-based ESP.
Article 1 presents eleven characteristics that answer the question "How would I know effective security governance if I saw it?" It compares and contrasts both effective and ineffective security governance actions and describes ten key challenges that leaders need to anticipate and address.
Article 2 defines the components and sequence of activities in an effective ESP. It is important that senior leaders understand the order and results of needed activities. They also should understand the roles and responsibilities of personnel involved in executing these activities. Sample activities include developing top-level policies, creating and maintaining asset inventories, and determining security inputs to the enterprise risk management plan.
Article 3 elaborates on the governance-based activities necessary to achieve and sustain an ESP. It describes the roles of the board risk committee and senior management (C-level or equivalent).
This series of articles builds upon earlier work [Allen 05, Westby 05, Westby 04b] and assumes that leaders are on the path to implementing a governance- and enterprise-based approach to security for their organizations.
A complete version of the Governing for Enterprise Security Implementation Guide is available as SEI Technical Note CMU/SEI-2007-TN-020.