Management is responsible for developing and deploying good security governance, which has been typically defined to include resilient protection regarding the IT infrastructure and related information systems supporting critical functions and business processes. Within the information security program, among the assigned responsibilities, requirements should exist to provide risk assessment and risk mitigation strategies for program management and control as well as sub-divisional risk assessments for system security. To facilitate the risk assessment process, guidance should be provided through adopted best practices. Minimally, utilized publications should document minimum baseline security requirements for the entity being audited or reviewed.
“View Part I of the Auditing Information Security Governance series here“