Software Engineering Institute

This article sets the stage for the Governing for Security Implementation Guide series. It first presents several key definitions for enterprise governance, IT governance, and security governance. It describes eleven characteristics intended to answer the question "How would I know effective security governance if I saw it?" The article goes on to compare and contrast both effective and ineffective security governance actions and then describes ten key challenges that leaders need to anticipate and address.