​

SAYING THAT the basis of a good IT security program is effective enterprise security governance smacks of business-school jargon. After all, what exactly is effective enterprise security governance?

That question is considered in depth by the Software Engineering Institute at Carnegie Mellon University in a new paper that cuts through the jargon to show why this really matters. Their research identified six factors that indicate “an organization is addressing security as a governance concern.”

The first is the company makes sure that C-level leaders understand their responsibilities regarding security; the second is that it treats security as “a cost of doing business,” not a negotiable item that needs regular defending. The third factor is that the company considers security during strategic and operational planning.

Fourth on the list is that the leadership makes sure that managers understand how security serves as a business enabler and how security issues factor into their own job-approval rating.

The fifth element is that security is integrated into enterprise functions and processes, from risk management and hiring to change control. The last factor is recognizing individual responsibilities with respect to the organization’s security.

This paper—which also considers compliance and potential legal liability—is aimed primarily at IT security managers. But physical security professionals will find that the issues addressed are the same as those they face every day.