Home > Articles

  • Print
  • + Share This
This chapter is from the book

2.3 Security Governance Components

SP 800-100 lists the following key activities, or components that constitute effective security governances (refer to Figure 2.1):

  • Strategic planning

  • Organizational structure

  • Establishment of roles and responsibilities

  • Integration with the enterprise architecture

  • Documentation of security objectives in policies and guidance

The following sections examine each of these components in turn.

Strategic Planning

It is useful for this discussion to define three hierarchically related aspects of strategic planning (see Figure 2.2):

  • Enterprise strategic planning

  • Information technology (IT) strategic planning

  • Cybersecurity or information security strategic planning

    FIGURE 2.2

    FIGURE 2.2 Strategic Planning

Enterprise strategic planning involves defining long-term goals and objectives for an organization (for example, business enterprise, government agency, or nonprofit organization) and the development of plans to achieve these goals and objectives. The management activity involved in enterprise strategic planning is described in the Strategic Management Group’s Strategic Planning Basics [SMG17] as an activity used to set priorities, focus energy and resources, strengthen operations, ensure that employees and other stakeholders are working toward common goals, establish agreement around intended outcomes/results, and assess and adjust the organization’s direction in response to a changing environment. It involves the development of a strategic plan and the ongoing oversight of the implementation of that plan.

  • strategic plan

    A document used to communicate, within the organization, the organization’s goals, the actions needed to achieve those goals, and all the other critical elements developed during planning exercises.

IT strategic planning is the alignment of IT management and operation with enterprise strategic planning. The need to move beyond IT management and to ensure that the IT planning process is integrated with enterprise strategic planning follows from two strategic factors: mission necessity and enterprise maturity [JUIZ15]. With many actors exploiting IT to maximize effectiveness, an organization must engage in strategic planning to ensure that investments in IT produce business value and that the assessment of risks is aligned with enterprise goals and objectives. This is a necessity to support the overall enterprise mission. Further, as the IT infrastructure develops and matures, meeting enterprise strategic goals is likely to involve new arrangements with outside providers, such as cloud service providers, more use of mobile devices by employees and outside actors, and perhaps reliance on a variety of new hardware and software to develop Internet of Things (IoT) capability. These activities may create unintended barriers to flexibility and introduce new areas of risk. IT management must be guided by strategic planning to meet these challenges.

One of the best-documented examples of IT strategic planning is the process used at Intel [HAYD08a, HAYD08b, PETE12]. It is worth examining this model because it also serves as a model for security strategic planning. Intel’s IT strategic planning process comprises six phases, as shown in Figure 2.3.


FIGURE 2.3 Intel’s IT Strategic Planning Process

The six phases are as follows:

  1. Two- to five-year business and technology outlook: At the beginning of the year, the planning team takes as input an overall vision and mission statement developed at the enterprise level. During this phase, the team reviews the enterprise strategies, technology trends, employee trends, and so on to better understand the future environment that will shape the IT organization and its deliverables. IT subject matter experts from throughout the organization are recruited to help define the major trends that may be critical in shaping the organization and its decision making in the next few years.

  2. Strategic deep dive: The team identifies a small number of high-impact areas that require more in-depth analysis to inform the overall strategic planning process. Depending on circumstances at a given point in time, these may include IoT, social media trends, and changing regulatory compliance rules.

  3. Current-state assessment: The planning team analyzes the current state of all the IT-related systems and policies and compares these with the long-range outlook, paying special attention to the key drivers developed in the preceding phase. The result is a set of recommendations for adjustments to IT’s focus areas and spending plans.

  4. Imperatives, roadmaps, and finances: The next phase is the development of a strategic plan for IT. The plan includes a discussion of strategic objectives and a budget and investment plan. The plan reflects IT’s highest-priority items and provides an outcome framework for defining success. Each item includes a roadmap that can influence budget and organization decisions in the upcoming year.

  5. Governance process and decision making: Once the annual budget is approved, the information from the preceding phases is used to guide the governance process and the many decisions made across the organization to implement the strategic plan and one-year strategic objectives. These decisions include project chartering, supplier selection, sourcing, investment trade-off decisions, and so on.

  6. Regular reviews: Monthly reviews based on a wide variety of input help ensure that the strategic plan and governance decisions are followed. This culminates in a year-end assessment. Reviews continue into the following year until a new strategic plan and new governance decisions provide input for modifying the review process.

This process can include a security strategic planning component, or planning can occur in a coordinated and parallel fashion in another team.

Information security strategic planning is alignment of information security management and operation with enterprise and IT strategic planning. The pervasive use and value of IT within organizations has resulted in an expanded notion of IT’s delivery of value to the organization to include mitigation of the organization’s risk [ZIA15]. Accordingly, IT security is a concern at all levels of an organization’s governance and decision-making processes, and information security strategic planning is an essential component of strategic planning.

An information security strategic plan should be embodied in a document that is approved by the appropriate executives and committees and is regularly reviewed. Table 2.1 suggests an outline for such a document.

TABLE 2.1 Elements of a Strategic Plan Document




Mission, vision, and objectives

Defines the strategy for aligning the information security program with organizational goals and objectives, including the role of individual security projects in enabling specific strategic initiatives.


Describes factors that determine strategy and the priorities of objectives.

Success criteria

Defines success criteria for the information security program. Includes risk management, resilience, and protection against adverse business impacts.


Strategy for integrating the security program with the organization’s business and IT strategy.

Threat defense

Describes how the security program will help the organization defend against security threats.


Operations plan

An annual plan to achieve agreed objectives that involves agreeing on budgets, resources, tools, policies, and initiatives. This plan (a) can be used for monitoring progress and communicating with stakeholders and (b) ensures that information security is included from the outset in each relevant project.

Monitoring plan

This plan involves planning and maintaining a stakeholder feedback loop, measuring progress against objectives, and ensuring that strategic objectives remain valid and in line with business needs.

Adjustment plan

This plan involves ensuring that strategic objectives remain valid and in line with business needs as well as procedures to communicate the value.


Review plan

This plan describes procedures and individuals/committees involved in regular review of the information security strategy.

Organizational Structure

The organizational structure to deal with cybersecurity depends, in large part, on the size of the organization, its type (for example, government agency, business, nonprofit), and the organization’s degree of dependence on IT. But the essential security governance functions to be performed are in essence the same across organizations. Figure 2.4, which is based on a figure in X.1054, illustrates these basic functions within a broader context.


FIGURE 2.4 Framework for Security Governance

The basic security governance functions are as follows:

  • Direct: Guiding security management from the point of view of enterprise strategies and risk management. This function involves developing an information security policy.

  • Monitor: Monitoring the performance of security management with measurable indicators.

  • Evaluate: Assessing and verifying the results of security performance monitoring in order to ensure that objectives are met and to determine future changes to the ISMS and its management.

  • Communicate: Reporting enterprise security status to stakeholders and evaluating stakeholder requirements.

This framework includes the governing cycle to direct, monitor, and evaluate the ISMS. The evaluation incorporates both the results of the monitoring and proposals from security management to dictate changes and improvements. This cycle is in accordance with Requirement 4.4 in ISO 27001 that the organization shall establish, implement, maintain, and continually improve an ISMS.

The evaluate function triggers communication with stakeholders in the form of a report, which can be issued annually, more frequently, or based on a security incident. As indicated in the Information Security Governance Framework [OHKI09], reporting to stakeholders serves two purposes:

  • Accountability: Reporting enables stakeholders to ensure that information security is being managed effectively, and it should include the following:

    • Information security policy

    • Risk evaluation

    • Risk measures and response

    • Management systems

  • Effect on corporate value: Reporting should disclose the following:

    • Estimates of the costs and benefits of making an inventory of information assets. The information security risk assessment process includes making a complete inventory of information assets. This inventory may support improved strategic management of the information assets, apart from security concerns, which may enhance corporate value.

    • Estimates of the value of an inventory of information assets that is developed as a result of information security activities.

    • The extent to which information security activities increase the brand value as well as the trust of the customers and partners.

    • The economic value of protected information assets.

    • The amount by which the security implementation reduces the risk of damaging the information assets.

The following sidebar provides an example of an information security report outline, from the Information Security Governance Framework [OHKI09]. This report structure is based on a study of private companies by the Japanese Ministry of Economics, Trade and Industry. It gives an overall picture of the enterprise’s information security governance. Section 5, in particular, involves providing a status update, which should be in sufficient detail for stakeholders to determine whether information security activities are being carried out as planned.

X.1054 provides an example of information security status report structure that includes the following detailed contents:

  • Introduction

    • Scope (strategy, policies, standards), perimeter (geographic/organizational units), period covered (month/quarter/six months/year)

  • Overall status

    • Satisfactory/not yet satisfactory/unsatisfactory

  • Updates (as appropriate and relevant)

    • Progress toward achieving the information security strategy

    • Elements completed/in-hand/planned

    • Changes in information security management system

    • ISMS policy revision, organizational structure to implement ISMS (including assignment of responsibilities)

    • Progress toward certification

    • ISMS (re)certification, certified information security audits

    • Budgeting/staffing/training

    • Financial situation, headcount adequacy, information security qualifications

    • Other information security activities

    • Business continuity management involvement, awareness campaigns, internal/external audit assistance

  • Significant issues (if any)

    • Results of information security reviews

    • Recommendations, management responses, action plans, target dates

    • Progress in respect of major internal/external audit reports

    • Recommendations, management responses, action plans, target dates

    • Information security incidents

    • Estimated impact, action plans, target dates

    • Compliance (or noncompliance) with related legislation and regulations

    • Estimated impact, action plans, target dates

  • Decision(s) required (if any)

    • Additional resources

    • To enable information security to support business initiative(s)

Such an outline is particularly useful for organizations that expect to enhance their reputation by emphasizing their security (for example, information and communications technology businesses). Transparency of the organization’s approach to its security risk and appropriate disclosure is also effective at increasing trust. Common awareness can be shared among stakeholders through such activities. For example, public cloud service providers share considerable detail about the information security program and even go the extent of allowing customers to conduct audits and vulnerability testing with prior arrangement. Other service providers and organizations with business customers traditionally did not provided this level of transparency.

Finally, the assess function depicted in Figure 2.4 is performed by independent third-party auditors, commissioned by enterprise top management.

Roles and Responsibilities

A key aspect of security governance is defining the roles and responsibilities of executives related to information security. Typically, these are C-level executives. Executive positions that play a role in security governance include the following:

  • C-level

    Chief level. Refers to high-ranking executives in an organization. Officers who hold C-level positions set the company’s strategy, make high-stakes decisions, and ensure that the day-to-day operations align with fulfilling the company’s strategic goals.

  • Chief executive officer (CEO): Responsible for the success or failure of the organization, overseeing the entire operation at a high level.

  • Chief operating officer (COO): Generally second in command to the CEO. Oversees the organization’s day-to-day operations on behalf of the CEO, creating the policies and strategies that govern operations.

  • Chief information officer (CIO): In charge of IT strategy and the computer, network, and third-party (for example, cloud) systems required to support the enterprise’s objectives and goals.

  • Chief security officer (CSO) or chief information security officer (CISO): Tasked with ensuring data and systems security. In some larger enterprises, the two roles are separate, with a CSO responsible for physical security and a CISO in charge of digital security.

  • Chief risk officer (CRO): Charged with assessing and mitigating significant competitive, regulatory, and technological threats to an enterprise’s capital and earnings. This role does not exist in most enterprises. It is most often found in financial service organizations. In enterprises in which a CRO is not present, organizational risk decisions may be the responsibility of the CEO or board of directors.

  • Chief privacy officer (CPO): Charged with developing and implementing policies designed to protect employee and customer data from unauthorized access.

Figure 2.5 shows an example of reporting relationships among these roles for a large enterprise. In smaller organizations, a number of these roles may be assumed by a single individual.


FIGURE 2.5 Possible Reporting Relationships for Security Governance

Two breakdowns of responsibility are useful in showing how to structure security-related roles in an organization. Figure 2.6, based on one in the Corporate Governance Task Force’s Information Security Governance: A Call to Action [CGTF04], shows a recommended assignment of roles and responsibilities. This useful report also provides a more detailed discussion of these roles as well as a list of recommendations for implementing effective security governance.


FIGURE 2.6 Security Governance Roles and Responsibilities Example

The Business Software Alliance’s Information Security Governance: Toward a Framework for Action [BSA03] proposes a governance framework based on three categories (see Table 2.2):

  • Governance/business drivers: What am I required to do? What should I do?

  • Roles and responsibilities: How do I accomplish my objectives?

  • Metrics/audit: How effectively do I achieve my objectives? What adjustments do I need to make?

    TABLE 2.2 Information Security Governance Responsibilities

    Governance/Business Drivers

    Roles and Responsibilities


    Corporate Executive

    Legislation, ROI

    • Provide oversight and coordination of policies

    • Provide oversight of business unit compliance

    • Ensure compliance reporting

    • Monitor actions to enforce accountability

    Financial reporting, monetizing losses, conforming to policies

    Business Unit Head

    Standards, policies, budgets

    • Provide information security protection commensurate with the risk and business impact

    • Provide security training

    • Develop the controls environment and activities

    • Report on effectiveness of policies, procedures, and practices

    Policy violations, misuse of assets, internal control violations

    Senior Manager

    Standards, audit results

    • Provide security for information and systems

    • Periodic assessments of assets and their associated risks

    • Determine level of security appropriate

    • Implement policies and procedures to cost-effectively reduce risk to acceptable levels

    • Perform periodic testing of security and controls

    Risk assessment and impact analysis, control environment activities, remedial actions, policy and procedure compliance, security and control test results


    Security policies, security operations, and resources

    • Develop, maintain, and ensure compliance with the program

    • Designate a security officer with primary duties and training

    • Develop required policies to support the security program and business-unit-specific needs

    • Assist senior managers with their security responsibilities

    • Conduct security awareness training

    Security awareness effectiveness, incident response and impact analysis, security program effectiveness, information integrity, effects on information processing

Integration with Enterprise Architecture

A key element of security governance is the development of an information security architecture. This architecture provides information on how security capabilities (for example, identity and access management) are placed and used in the enterprise architecture. It allocates security requirements and controls to common services or infrastructures. It also provides a foundation for achieving risk-appropriate information system security, determining what circumstances and which security controls apply to information systems.

  • information security architecture

    An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel, and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

  • architecture

    The way in which the component parts of an entity are arranged, organized, and managed.

  • enterprise architecture

    The systems, infrastructure, operations, and management of all information technology throughout an enterprise. The architecture is typically organized as high-level internally compatible representations of organizational business models, data, applications, and information technology infrastructure.

Over the past 20 years, a number of enterprise architecture models have been developed and adopted by various organizations. Two widely used governance resources for developing an information security architecture as part of an enterprise architecture are The Open Group Architecture Framework (TOGAF) [TOG11] and the Federal Enterprise Architecture Framework (FEAF) [OMB13]. The FEAF is the most comprehensive of all the enterprise architectures in use [SESS07], and this section provides an overview of it. Although developed for use by U.S. federal agencies, the FEAF is used effectively as a governance tool by other government organizations, private enterprises, nonprofit groups, and other organizations.

The FEAF provides the following:

  • A perspective on how enterprise architectures are viewed in terms of sub-architecture domains

  • Six reference models for describing different perspectives of the enterprise architecture

  • A process for creating an enterprise architecture

  • A transitional process for migrating from a pre-enterprise architecture to a post-enterprise architecture paradigm

  • A taxonomy for cataloging assets that fall within the purview of the enterprise architecture

  • An approach to measuring the success of using the enterprise architecture to drive business value

The sub-architecture domains represent specific areas of the overall framework. The domains provided a standardized language and framework for describing and analyzing investments and operations.

Each domain is defined in terms of a set of artifacts, which are essentially items of documentation that describe part or all of an architecture. [EAPA17] describes three levels of artifacts:

  • High-level artifacts: These document strategic plans and objectives, typically in the form of policy statements and diagrams.

  • Mid-level artifacts: These document organizational procedures and operations, such as services, supply chain elements, information flows, and IT and network architecture. Typical artifacts at this level are narrative description, flowcharts, spreadsheets, and diagrams.

  • Low-level EA artifacts: These document the specific resources, such as applications, interfaces, data dictionaries, hardware, and security controls. Typical artifacts at this level are detailed technical specifications and diagrams.

The FEAF describes six domains:

  • Strategy

  • Business

  • Data and information

  • Enabling applications

  • Host and infrastructure

  • Security

Corresponding to the six domains are six reference models that describe the artifacts in the corresponding domains (see Table 2.3).

TABLE 2.3 Enterprise Architecture Reference Models

Reference Model



Performance reference model

Goals, measurement areas, measurement categories

Improved organizational performance and governance, cost benefits

Business reference model

Mission sectors, functions, services

Organization transformation, analysis, design, and reengineering

Data reference model

Domain, subject, topic

Data quality/reuse, information sharing, Agile development

Application reference model

System, component, interface

Application portfolio management, cost benefits

Infrastructure reference model

Platform, facility, network

Asset management standardization, cost benefits

Security reference model

Purpose, risk, control

Secure business/IT environment

The following description provides further detail of the reference models (RMs):

  • Performance reference model (PRM): Defines standard ways of describing the value delivered by enterprise architectures, linked to the strategy domain. An example of a PRM artifact for this domain is a SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis report that presents the strengths, weaknesses/limitations, opportunities, and threats involved in a project or in a business venture, including risks and impacts.

  • Business reference model (BRM): Describes an organization through a taxonomy of common mission and support service areas. The BRM provides guidance in defining functions and services in various mission sectors of the enterprise and is linked to the business services domain. An example of a BRM artifact for this domain is a use-case narrative and diagram that describes a set of possible sequences of interactions between systems and users in a particular environment and related to a particular goal.

  • Data reference model (DRM): Facilitates discovery of existing data holdings residing in silos and enables understanding the meaning of the data, how to access it, and how to leverage it to support performance results. The DRM is linked to the data and information domain. An example of a DRM artifact for this domain is a data dictionary, which is a centralized repository of information about data such as name, type, range of values, source, and authorization for access for each data element in the organization’s files and databases.

  • Application reference model (ARM): Categorizes the system- and application-related standards and technologies that support the delivery of service capabilities. The ARM provides guidance in developing a uniform scheme for documenting system, components, and interfaces and for managing application portfolios. It is linked to the enabling applications domain. An example of an ARM artifact for this domain is a system/application evolution diagram. This artifact documents the planned incremental steps toward migrating a suite of systems and/or applications to a more efficient suite, or toward evolving a current system or application to a future implementation.

  • Infrastructure reference model (IRM): Categorizes the network- or cloud-related standards and technologies to support and enable the delivery of voice, data, video, and mobile service components and capabilities. The ARM provides guidance in developing a uniform scheme for documenting platform, facility, and network elements and managing assets. It is linked to the host infrastructure domain. An example of an IRM artifact for this domain is a hosting concept of operations, which presents the high-level functional architecture, organization, roles, responsibilities, processes, metrics, and strategic plan for hosting and use of hosting services. Other artifacts provide detailed documentation of infrastructure elements.

  • Security reference model (SRM): Provides a common language and methodology for discussing security and privacy in the context of the organization’s business and performance goals. The SRM provides guidance in risk-adjusted security/privacy protection and in the design and implementation of security controls. It is linked to the security domain. An example of an SRM artifact for this domain is a continuous monitoring plan, which describes the organization’s process of monitoring and analyzing the security controls and reporting on their effectiveness.

Figure 2.7 illustrates the interactions among the reference models.


FIGURE 2.7 Relationships Between RM Components

These reference models operate on four categories of assets:

  • Organization assets: These assets include investments, programs, processes, applications, infrastructures, and individuals.

  • Business capabilities: A business capability represents the ability of an organization to perform an activity that results in an outcome of value. A business capability can be viewed as an assembly of organization assets for a specific purpose.

  • Data assets: Data assets include databases, files, and other data resources available to the organization.

  • IT assets: IT assets include devices, peripherals, systems, applications, and IT capital investments.

Figure 2.8 shows in more detail the interaction between the security reference model and the other reference models.


FIGURE 2.8 Interactions Between the Security Reference Model and Other Reference Models

An enterprise architecture is a powerful methodology for enabling enterprise and security governance, and it should be viewed as an essential element of governance.

Policies and Guidance

NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, defines an information security policy as an aggregate of directives, rules, and practices that prescribes how an organization manages, protects, and distributes information. It is an essential component of security governance, providing a concrete expression of the security goals and objectives of the organization. The policies, together with guidance documents on the implementation of the policies, are put into practice through the appropriate selection of controls to mitigate identified risks. The policies and guidance need to cover information security roles and responsibilities, a baseline of required security controls, and guidelines for rules of behavior for all users of data and IT assets.

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020