Information Security Governance (ISG) normally addresses creating and implementing a ‘system of security controls’ that enable ethical and/or legal managerial responsibilities fulfillment for information assets protection (IAP). Ethically, management must protect an entity’s information assets from potential external and internal threats that may compromise confidentiality, integrity, and availability (C-I-A) in order to preserve organization, presentation, and utilization value. Legally, within an entity’s information security control system, explicitly or implicitly, management as a fiduciary agent is responsible and accountable for deploying controls that prevent, deter, detect and/or correct privacy breaches mandated by laws and regulations. Furthermore, laws and regulations may also mandate C-I-A requirements be implemented within an entity; with managerial fiduciary responsibilities and accountabilities.
Brotby, Krag W. Information Security Governance: Guidance for Boards of Directors and Executive Management. 2nd ed. Rolling Meadows, IL: IT Governance Institute, 2006. http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=34997 (accessed April 21, 2008).