The NIST Security Handbook states that governance is highly dependent on the overall organization structure.
- Centralized maintain budget control and ensure implementation and monitoring of information security controls.
- Decentralized have policy and oversight responsibilities and budget responsibilities for their departmental security program not the operating unit information security program.
- Reporting structures are different as well.
- Governance structures can be hybrid, with a combination of characteristics from both centralized and decentralized
Discuss why Security Governance should use the stated structures. Provide a simple case study that in where an organization can benefit from such controls. Do you think all organizations follow this principle?
