While organisations can survive the loss of most assets such as facilities and equipment, the loss of critical information, including financial or customer data is often most difficult to get by without.

To effectively protect such critical assets, ITGI says information security must be addressed at the highest level of the organisation, by boards of directors and CEOs. Effective IT governance helps ensure that IT supports business goals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities.

"Information security is a critical business issue that can improve reputation and trust, as well as efficiency by avoiding wasted time and effort recovering from a security incident," says Everett Johnson, international president of the IT Governance Institute. "It's not something that can be relegated to the IT department."

The updated guidance includes actions that boards and executive management can take to ensure effective information security governance. An easy-to-read laminated checklist is included that lists information security governance responsibilities, the benefits of information security governance, and the 15 elements of a comprehensive security programme:

The card also notes five positive outcomes of a successful information security program:

• Information security is aligned with business strategy to support the business.
• Risks are managed to reduce impacts on information.
• Resources are managed by using information security knowledge and infrastructure effectively and efficiently.
• Information security governance metrics are used to measure, monitor and report progress.
• Information security investments deliver value to the business.

"With increasing globalisation, privacy compliance issues, regulatory requirements and the risk of security breaches, organisations are evolving in their thoughts about information security," said Krag Brotby, author of the publication. "Boards of directors and executive management are realising that information security can deliver real value to the organization and are incorporating information security governance into their overall enterprise governance programs."

The IT Governance Institute® (ITGI) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise's information technology. The institute has developed 'control objectives for information and related technology' (COBIT) and offers original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities.