Information Security Governance

Cybersecurity and hacker attacks are among the top concerns that organizations worldwide face today. The concern is justified, given the visibly exponential rise in successful hacker attacks and volumes of sensitive information stolen as a result of data breaches. Cybersecurity though has often been viewed as a technical problem with the expectations of a technical solution that will come along some day and be the oft-sought silver bullet. In reality, cybersecurity starts in the corporate boardroom and good Information Security Governance is the real, all-encompassing solution to the cyber problem.

What Is Information Security Governance?

According to the National Institute of Standards and Technology (NIST), Information Security Governance involves establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.

Information Security Governance, essentially, encompasses good risk management, robust reporting controls, comprehensive testing and training, and steadfast corporate accountability. It provides strategic direction for cybersecurity activities and ensures that the cybersecurity objectives laid out by an organization are achieved.

A good Information Security Governance process can transform an organization and bring one or more of the following cybersecurity dividends –

  • Structured, focused, and prioritized allocation of time, money, and efforts.
  • Better compliance with the organization’s information security policies.
  • Better predictability and lesser uncertainty.
  • Better decision-making that is structure-based than opinion-based.
  • More ammunition in terms of due diligence performed by the organization leads to a better stand when faced with legal consequences.
  • Clear accountability and better information protection.


To aid the implementation of good Information Security Governance, a strong foundational framework is essential. Such a framework should support and seamlessly interweave with business objectives. A cybersecurity framework arms organizations with the ability to protect themselves from evolving cyber threats. A good cybersecurity framework’s primary focus includes:

  • Familiarize and harmonize cybersecurity approaches and provide a common language.
  • Establish the optimum level of cybersecurity tailored to the organization’s specific environment and needs.
  • Allocate a sufficient cybersecurity budget towards the implementation of the framework.
  • Effectively impart knowledge of cyber risks to top management.


NIST Cybersecurity Framework

The NIST Cybersecurity Framework is an internationally recognized policy framework that provides a strong foundation atop which good Information Security Governance can be built. It helps organizations improve their ability to prevent, detect, and respond to cyberattacks.

The NIST Cybersecurity Framework’s core structure includes:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover



As part of the Identify Function, an organization should aim to understand the business context that it operates in. What are the most critical functions of the organization? What are the resources that are absolutely critical for the proper functioning of each of these areas? What are the cybersecurity risks that pose threats to these critical functions and their seamless operation? With these questions asked, an organization develops an understanding of how it can effectively manage the specific cybersecurity risks that it faces.


As part of the Protect Function, an organization should aim to contain the impacts of threats that can materialize and harm the operation of its most critical functions. An organization can do this effectively by employing cybersecurity safeguards and protections to ensure that its critical functions can continue to deliver.


As part of the Detect Function, an organization should aim to detect adverse cybersecurity incidents in a timely manner. In order to achieve this, an organization should employ detective and monitoring controls that take into consideration threat inputs from well-known and reputable sources as well as the organization’s own custom alerts and inputs.


As part of the Respond Function, an organization should aim to contain the impacts of adverse cybersecurity incidents that have been detected by the organization. An organization should look at strengthening its cybersecurity incident response strategies and capabilities in order to achieve this.


As part of the Recover Function, an organization should aim to recover and restore the organization to normal operations after an adverse cybersecurity incident has occurred and its threat has been dealt with. An organization can achieve this by investing in its resilience capabilities and recovery planning.

Best Practices

Organizations aiming to implement good Information Security Governance can look to the following best practices for guidance –

  • The organization must develop a comprehensive information security policy which must encompass all critical and necessary cybersecurity areas and critical functions across the organization. The focus of the policy documentation must be technical, physical, and administrative.
  • The organization must define clear roles and responsibilities which are coordinated and aligned with internal job functions and external partners. These roles and responsibilities must then be enforced by the organization’s policies and procedures.
  • Employees of the organization, including all levels of management, must be trained and made aware of their roles and responsibilities.
  • The organization should treat Information Security Governance as an enterprise-wide issue that is risk-based and an inherent business requirement.
  • Corporate management must be engaged, accountable, and willing to commit adequate resources to implementing good Information Security Governance.
  • The organization commits to a development lifecycle that is well-planned and develops specific, measurable metrics that are tracked and reported to top management on a periodic basis. Plans, strategies, and practices must be updated, ongoing, based on performance metrics and their results.
  • The organization must ensure that legal and regulatory requirements are kept in sight and incorporated at all times.

Having a cybersecurity company that you can count on is paramount to ensuring that your cybersecurity measures are proactive and prepared for anything. At ERMProtect, our cybersecurity services and solutions are second to none. To speak with an expert on our cybersecurity team please call (800) 259-9660 or click here to schedule a free demo.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

ERMProtect's Weekly Newsletter

Get a curated briefing of the week's biggest cyber news every Friday.

Intelligence and Insights

NIST Cybersecurity Framework

Complete Guide to the NIST Cybersecurity Framework 2.0

In this comprehensive guide, we explain in simple terms every aspect of complying with the NIST Cybersecurity Framework 2.0 …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 2

We asked Akash to take a trip down memory lane and discuss some of his more interesting intrusion cases. This is Part 2 of “Musings from Pen Tester’s Diary.” …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 1

Ever want to peek inside the mind of an ethical hacker? Akash Desai, our Director of IT Consulting for 18 years, is sharing his diary of experiences “hacking” banks, factories, fire departments, airports, etc …