Information security is not only a technical issue, but also a business and governance challenge that involves risk management, reporting, and accountability. It is a top-down process requiring a comprehensive information security strategy that is explicitly linked to the organization’s business processes and objectives.

Effective security requires the active engagement of executive management to address emerging threats and provide strong cyber security leadership. The term used to describe executive management’s engagement is Information Security Governance. Information Security Governance consists of the set of policies and internal controls by which information security activities within an organization, irrespective of size or form, are directed and managed. Risk management, reporting, and accountability are core focus area of all information security policies and internal controls. Information security governance is a subset of an organization’s overall corporate governance program.