Security governance is the combined set of tools, personnel, and processes that provide for formalized risk management. It includes organizational structure, roles and responsibilities, metrics, processes, and oversight, as it specifically impacts the security program. While governance is embodied in a set of documents, specifically standards, guidelines, policies, and procedures, to have an effective security program, the appropriate resources need to be allocated, as defined within the governance.

Without the formalization, and especially the implementation of governance, a security program is an accident. It would otherwise rely upon having the appropriately skilled people running the program, who are allocated the ...