2.6 Security Governance Best Practices
The ISF SGP breaks down the best practices in the security governance category into two areas and five topics and provides detailed checklists for each topic. The areas and topics are as follows:
Security governance approach: This area provides guidance for establishing, maintaining, and monitoring an information security governance framework, which enables the organization’s governing body to set clear direction for and demonstrate their commitment to information security and risk management.
Security governance framework: This topic provides a checklist of actions for establishing a security governance framework and ensuring that the organization’s overall approach to information security supports high standards of governance.
Security direction: This topic outlines a recommended top-down management structure and mechanism for coordinating security activity (for example, an information security program) and supporting the information security governance approach. It includes discussion of a CISO, a working group, and the tasks of each.
Security governance components: This area provides guidance for supporting the information security governance framework by creating an information security strategy and implementing an information security assurance program that are aligned with the organization’s strategic objectives.
Information security strategy: Provides a checklist for developing an information security strategy.
Stakeholder value delivery: Focuses on how the organization should implement processes to measure the value delivered by information security initiatives and report the results to all stakeholders.
Information security assurance: Discusses actions to assure that information risk is being adequately addressed.