Software Engineering Institute

This article builds on Article 1: Characteristics of Effective Security Governance and provides a comprehensive description of an enterprise security program (ESP). It highlights those aspects of an ESP that require governance action. The goal of this article is to enable the reader to understand what governance of security means, what it applies to, and how it is exercised.

To be successful, the program requires a security culture and the cooperation of the entire organization. This is achieved by establishing and reinforcing the security “tone” set at the top of the organization, reflected in top-level policies and an effective governance structure. This structure includes a cross-organizational security team, designated key personnel — such as the chief risk officer (CRO), chief security officer (CSO),1 general counsel (GC), chief information officer (CIO) and others — and the involvement of operational staff. Internal audit has an independent role in auditing the ESP's effectiveness in addressing organizational security risks.

An ESP consists of a series of activities that support an enterprise risk management plan (RMP) and result in the development and maintenance of

• a long-term enterprise security strategy (ESS)
• an overarching enterprise security plan (which may be supported by underlying business unit security plans and security plans for individual systems)
• security policies, procedures, and other artifacts
• the system architecture and supporting documentation

Figure 1 depicts the hierarchical relationship of these documents and activities.