What is Information Security Governance?


IT security governance is the system by which an organization directs and controls IT security (adapted from ISO 38500). IT security governance should not be confused with IT security management. IT security management is concerned with making decisions to mitigate risks; governance determines who is authorized to make decisions. Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks. Management recommends security strategies. Governance ensures that security strategies are aligned with business objectives and consistent with regulations.


NIST And IT Security Governance?

NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.





Why Enterprise Governance?

Enterprise security governance results from the duty of care owed by leadership towards fiduciary requirements. This position is based on judicial rationale and reasonable standards of care. The five general governance areas are:

1. Govern the operations of the organization and protect its critical assets

  1. Protect the organization’s market share and stock price (perhaps not appropriate for education)
  1. Govern the conduct of employees (educational AUP and other policies that may apply to use of technology resources, data handling, etc.)
  1. Protect the reputation of the organization
  1. Ensure compliance requirements are met


Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business.


Why Use ITSecurity.Org For Your IT Security And Information Security Governance Requirements?

At ITSecurity.Org, Our Professional and Qualified Staff have decades of combined experience, expertise, qualifications and certifications gained through working in some of the largest enterprises. Our consultants have experienced many different requirements for IT Security Governance and Information Security Governance are able to help you with your Governance situation and needs in a unique way just to suit you.

We have experience on a practical basis of creating, building and managing Security Governance Frameworks so that they work for you.


What Is The Current Best Practice Regarding Enterprise IT Governance?

Three Lines Of Defense

Currently, the best practice for Enterprise IT Governance is to implement a layered approach. This layered approach is called the ‘Three Lines Of Defense‘.

In order to comply with legislative and regulatory requirements, a Three Lines of Defense approach is implemented is defined as follows:

  1. First Line of Defense

The first line of defense will have responsibility for:

  1. Defining the IT Strategy to provide the strategic context within which IT will operate.
  1. Ensuring that IT Policies and Governance bodies form a system of controls for IT activities and the IT Strategy Implementation.
  1. Accountability for ensuring that the following are successfully implemented:
  • IT Policy
  • IT Governance
  • IT Compliance
  • IT Risk Management
  1. Second Line of Defense

The second line of defense will have responsibility for:

  • Ensuring performance, compliance and risk oversight in relation to the IT Policy.
  • Approving the IT Policy to be used by IT Governance bodies.
  1. Third Line of Defense

The third line of defense will have responsibility for:

  • Independently assuring compliance with Policy.

Application Security

Effectively assess, manage, and secure your organization’s web usage and business-critical applications.

Incident Response

Leverage experienced and certified consultants to help manage and respond to security incidents.

IT Security Governance

Better manage risk, compliance, and governance.

Network Security

Enable flexible, intelligent IT and network security solutions to combat Internet threats.

Policies And Standards

Review your status, complete a risk assessment and create, produce and publish Security Standards and Policies.

Our Services


Assess your organization against UK, EU and US legislation and regulations: GDPR, PCI-DSS, ISO27001, Money Laundering, Sarbanes-Oxley.

IT Risk Management

Identify areas of potential risk and design a customized, complete security solution.

Managed Security

Outsource your IT Security to ITSecurity.Org Security Experts.

Penetration Testing

Securing online assets and supporting regulatory compliance by exposing the vulnerabilities on the network.

Procedures And Guidelines

Assess your people, processes and technologies. Create, produce and publish procedures and guidelines.

Data Protection

Assess your Data Protection environment against recent regulatory and legislative requirements including GDPR.

IT Security Consultingng

Build effective IT security policies to reduce threats to your critical business assets.

Mobile Security

Protect mobile devices, secure connectivity, ensure appropriate access, and safeguard data and applications.

Physical Security

Assess and enhance your physical security plan with a wide variety of Physical Security Solutions

Security Training

Train your staff in the principles of Security and Data Protection and prevent data breaches.