Information security governance is a subset of corporate governance and gives the strategic direction to information security. It is aligned with the business goals and objectives that we want to make sure that our strategy for security is appropriate for the risks that are being managed and that the resources are being utilized effectively. A good framework is going to have a security strategy, there's going to be policy that supports that strategy, as well as the rest of the paperwork, standards, procedures, minimum security baselines and guidelines. There'll be an organizational structure in place for security, and there'll be metrics to measure that. What I want you to do in class right now is I want you to take a look at the exercise and match the description, with whether it's a policy, a guideline, or a procedure. Once you've finished that, then let's talk a little bit about risk to the organization. What capacities does an organization have to absorb risk? What is it's appetite? How much risk are they willing to accept? Is there any wiggle room? What's the risk tolerance, if you would, for the organization? When we put together a strategy, what comes out of that is going to be the scope and the charter for the organization's information security program that has to be reflected in the organization's strategy, it has to be reflected in the organization's policy, and it has to have senior management support. Part of what we do in this process of information security governance is we do governance, do diligence, do care, we manage risk, and then we make sure that we are in compliance with that. The three major aspects here are: governance, risk management, and compliance. Anything that we do, we have to justify. There has to be a business model, if you would, for security. We have to look at it from a overall point of view. The business model that's used by ISACA is called BMIS, Business Model for Information security. It's made up of four major elements: the organization, the people, the processes, and the technology that's being used, as well as the interconnections between those four major elements. Governance, culture, enablement and support, new technology or emergence, human factors, and architecture. Process assurance. We need some assurance, we need some metrics, that what we're doing is working. Integration is critical. Some of the techniques that we use for integration, as we just talked about, governance, risk and compliance, we use BMIS, the Business Model for Information Security, as well as the international standards 27,000 series for information security. What we're saying is that since security is so critical, it has been elevated to a C-level position. It includes all security, not just information but physical security. We're getting that 30,000 foot view of view word or the holistic approach. We look at emergency technologies and threats, as well as what does it cost to remediate an incident?