In order for an enterprise to be capable of implementing an efficient security governance scheme, the following pre-requisites must be met.
This methodology is naturally compliant with the Information Security Management System (ISMS) as defined by the ISO 27001:2005 (international requirements standard for information security). A specific attention should however be brought to the language that is being used during the different steps of this ISMS scheme. It is crucial that the different risk analysis modules (i.e the asset classification module, the threat identification module, the vulnerability discovery module and the business impact analysis module) speak the same language and use a shared scoring system such as the CIA triumvirate (Confidentiality, Integrity, Availability) + Auditability. Such living information should be dynamically stored, processed and updated. Thus a packaged interactive interface would be the most suited for proper governance that builds its security roadmaps upon reliable and efficient dashboards as required by the Basel II committee. Thus, it would be possible for compliance officers and permanent controllers to aggregate and analyze large sets of data, hence be able to derive prioritization criteria (i.e. for selecting the top 10 applications that will benefit from short-term security roadmaps).