governing for strongenterprisestrong security (ges) implementation guide.pdfVIP

Governing for Enterprise Security (GES) Implementation Guide Article 1: Characteristics of Effective Security Governance1 Julia H. Allen, Carnegie Mellon University, Software Engineering Institute, CERT® Jody R. Westby, CEO, Global Cyber Risk LLC Adjunct Distinguished Fellow, Carnegie Mellon CyLab February 2007 CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office. Copyright 2007 Carnegie Mellon University 1 Much of the content in this article is excerpted and updated from previously published work [Allen 05, Allen 06a, Allen 06b, Allen 06c]. Abstract: This article sets the stage for the Governing for Security Implementation Guide series. It first presents several key definitions for enterp rise governance, IT governance, and security governance. It describes eleven characteristics intended to answer the question “How would I know effective security governance if I saw it?” The article goes on to compare and contrast both effective and ineffective security governance actions and then describes ten key challenges that leaders need to anticipate and address. Introduction Eleven Characteristics of Effective Security Governance Effective versus Ineffective Security Governance Ten Challe