Effective Information Security Governance

Information security governance is a critical facet of overall corporate governance. It must be an integral and transparent part of enterprise governance. It consists of the leadership, organizational structures and processes that protect vital information for successful business. Information security governance must provide a level of assurance to senior management that critical decisions are not based on faulty information. It also has to protect the organization’s reputation and improve trust in customer relationships. It is providing a firm foundation for effective risk management, process improvement, fast and successful incident response, and business continuity management.


There are six basic outcomes of effective information security governance:

1. Strategic alignment which means that information security strategy has to be aligned with business strategy to support organization’s objectives. Security solutions should fit for enterprise processes, and take into account the culture, governance style, technology, and structure of the organization.

2. Risk management which means executing appropriate measures to mitigate information security risks and reduce potential impacts on information resources to an acceptable level.

3. Value delivery which means optimizing information security investments in support of business objectives. Baseline security requirements should follow adequate and sufficient practices proportionate to risk and potential impact.

4. Resource management which means using information security knowledge and infrastructure efficiently and effectively to ensure that knowledge is captured and available, to document security processes and practices, and to develop security architecture(s) to define and utilize infrastructure resources efficiently.

5. Performance measurement which means monitoring and reporting on information security processes to ensure that objectives are achieved. It includes a well defined, agreed-upon and meaningful set of metrics that are properly aligned with strategic objectives and provide the information that is needed for effective decisions at the strategic, management and operational levels.

6. Integration which means integrating all relevant assurance factors to ensure that processes operate as intended from end to end.

Information security governance is a subset of corporate governance. It provides strategic direction for security activities and ensures that objectives are achieved. It ensures that information security risk is appropriately managed and that enterprise information resources are used responsibly.

To achieve effective information security governance management should establish and maintain a governance framework. It will generally consist of:

  •       a comprehensive security strategy linked with business objectives;
  •     security policies that address each aspect of strategy, controls and regulation;
  •    a complete set of standards for each policy to ensure that procedures and guidelines comply with policy;
  •     an effective security organizational structure with sufficient authority and adequate resources;
  • an institutionalized metrics and monitoring processes to ensure compliance, provide feedbackon effectiveness and provide the basis for appropriate management decisions.

This framework should provide the basis for the development of a cost-effective information security program that supports the organization’s business goals. An effective information security governance must support business goals and activities to be of value to the organization.


Suzana Stojaković – Čelustka, PhD is an expert in the field of information security. Some of her related duties were: CEO of CARNet CERT (Croatian Academic and Research Network Computer Emergency Response Team) in 1997., CEO of CARNet Department for security of computer networks in 1998., assistant for information security related jobs in Office for internetization of Croatian Government – 2002. - 2004., senior advisor for information security in Central State Office for e-Croatia, including development of National program of information security in the Republic of Croatia - 2004. – 2006., CISO (Chief Information Security Officer) in Croatian Bank for Reconstruction and Development (current position).

She is also a lecturer on information security topics at various occasions and editor at Croatian Information Security Portal (http://www.sigurnost.info). She received her BSEE and M.Sc. at Faculty of Electrotechnical Engineering, University of Zagreb, Croatia, and Ph.D at Faculty of Electrical Engineering, Czech Technical University of Prague, Czech Republic. Her Ph.D thesis, Building Secure Information Systems, can be found at http://www.oocities.com/suzana_sc2001/index.htm Her other interests include research in: computer architecture, distributed systems (networking), algorithmics, artificial intelligence and artificial life.

She is an active member of IFIP W.G. 9.6/11.7 (Working Group 9.6/11.7 - Information Technology Mis-Use and the Law, IFIP Technical Committee 9 - Relationship between Computers and Society) and IFIP W.G. 16.5 (Working Group 16.5 – Social and Ethical Issues in Entertainment Computing – IFIP Specialist Group on Entertainment Computing)



Comments (3)
  • Suzana  - Security Governance Definition


    I always like to think about security as a business enabler. That being said, I think that security governance should primarily be a business requirement that directly aligns with strategic goals, enterprise objectives, risk management plans, compliance requirements, and top-level policies. This definition is widely recognized by security experts (some associations as e.g. ISACA promote this or similar definition), but the open question is in what extent business itself recognize whether this statement is true.

  • Rubina  - Governance, Gender and Security

    Not sure if this is related, but I would like to read this book and try to explain the links between enterprise security governance and ethical issues:


  • Rubina  - Security Governance Definition

    How would you define Security Governance, or Enterprise Security Governance?

Only registered users can write comments!