Information Security Governance

Two years ago I wrote about IT Governance and today I want to write about the six main outcomes of Information Security Governance:

Strategic Alignment

This is very difficult to achieve, this is the alignment of Information Security in support of all the organization objectives, this is very desirable but difficult to accomplish. If we align the security strategic with the goals and objectives of the business organization, we will have a cost-effective and efficient organization. In the security strategic we have to define the security objectives in terms a business terms and business objectives, articulating from the planning phase to the documentation phase, about policies, standards, procedures, technologies and processes.

Risk Management

This is going to be the ultimate objective of all the Infosec activities. Risk Management is the process of executing the right measure to mitigate the risk and reduce any potential impact on the data resources or information resources to an acceptable level of risk. We should understand the organization threshold levels, understand the risk exposure and the potential consequences of any kind of compromise or vulnerability, awareness of priority on risk management, risk mitigation process, etc

Value Delivery

This is going to happen when the investment in security is optimize to support the organizational objectives. In other words, we have to squeeze as much value as we can with our security mechanism like all our devices, hardware, software and personal. We should try to maximize the output and maximize the results as we can for the lowest possible cost. Therefore, the investment is going to happen when our strategic goals for security are achieve with an acceptable posture of risk and the lowest possible cost.

Resource Management

Resource Management can be defined as the processes involving in processes of planning, allocating and managing information security resources. This include people, technology and logical processes like techniques and methodologies. All with the goal of improving effectiveness and efficiency of our business solution. How we know if we have effective resource management processes in place? If we have a systematic procedure to deal with problems that they appear over and over again, we will have effective and efficient resource management processes.

Performance Analysis

This is the process of measuring, reporting and monitoring the information security processes. All with the key goal of improvement. We can't manage what we can't measure. If we aren't measuring with solid metrics, using standardised methodologies, we aren't going to analyse the performance to improve the organization and to improve the security program. This takes time to detect and report incidents. If we know the number of incidents and their frequency, we can find out if our controls are effective.


This is the process of converging our security information processes with business processes. Integration is closely related to the concept strategic alignment but integration is the practical aspect of alignment due to the fact that strategic alignment is handled for operational and upper management levels. Integration is going to be the real world and day to day from the top to down in the actual processes.

Regards my friend and remember, leave a comment with the first thing you're thinking.