Please reply to the two posts below

1. As the prompt suggests, information security went from being a technical add-on to full fledge attribute that co-exists with any system that is being built. From meeting certain standards to auditors or other organizations, there are many drivers in the space that push for more effective governance of security. The governance in itself is different from security management, which tackles mitigation risks. Governance in this case refers to authorization of decision making regarding the mitigation. From accountability to security management taking proper order, governance makes sure the polices are valid and complaint with the organization and standards. Financial reasons, accountability, structure, and assurance are some factors for information security governance. Being able to make sure an organization and its employees from top to bottom are dealing business within legal limits helps it from getting into trouble, while at the same time seeing processes taking shape and connected can prevent further harm to the organization via cyberattacks from in or out the company.

2. The primary drivers of effective information security governance in my experience have been requirements from auditors. In the financial services sector, FCUA and FDIC have strict guidelines on the maintenance, safeguarding and access of PII or NPI. As an example in order to have more secure Windows servers one could use CIS standards or STIGs (DoD). CIS Benchmarks or STIG configurations are meant to be a “gold standard” in order to secure or “harden” specific operating systems. Risk management would have to work in conjunction with Information Security (IT) in order to establish baselines and where there could be improvement. Identifying the highest values assets (or targets) with more vulnerabilities prior to auditing not only improves your overall security posture, but decreases risk. Executive decision making would have to be based on extensive research, effort and budgeting in order to meet information security guidelines. If glaring problems or inherent risks are not addressed the company’s reputation and reliability could suffer. Executive decision making also has to include the bottom line, or the customers’ wants and needs at the end of the day.