Information security governance is a part of governance, risk and compliance (GRC).
Information Security should take into account the organization objectives and identified risks to define information security objectives. To achieve these goals, the IS strategy must be defined.
Information security Governance covers:
- IT security program
- IT security framework
- IT security policy framework
- IT security architecture framework
- Process improvement framework
A business process assessment (BPA) evaluates the efficiency of an organization’s process and identify opportunities for improvement.
IT Security Program
An information security program (ISP) defines the activities that enable the information security within an organization. To know more about the ISP, please read this post.
IT Security Framework
Information Security Policy Framework
IT security policy framework consists of a set of documents that defines, guides or outlines the IT security processes within an organization.
An information security policy framework may be a component of an IT security framework.
IT Security Architecture Framework
IT security architecture framework
Process Improvement Frameworks
You can read about process improvement frameworks, like CMMI, SAMM or IDEAL, on this post.
Due Diligence and Due Care
The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. Is a very broad standard.
Due care is the continued application of the security structure onto the IT infrastructure of an organization.
The due diligence principle states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner. It is more specific than due care principle.
It implies establishing a plan, policy, and process to protect the interest of an organization.
Information Security Indicators
You can read this post about information security indicators.