Welcome » IT Booklets » Information Security » I Governance of the Information Security Program » I.A Security Culture
An institution's security culture contributes to the
effectiveness of the information security program. The information
security program is more effective when security processes are
deeply embedded in the institution's culture.
The board and management should understand and support
information security and provide appropriate resources for
developing, implementing, and maintaining the information security
program. The result of this understanding and support is a program
in which management and employees are committed to integrating the
program into the institution's lines of business, support
functions, and third-party management program.
The introduction of new business initiatives (such as new
service offerings or applications) can reveal the maturity of and
degree to which information security is part of the institution's
culture. An institution with a stronger security culture generally
integrates information security into new initiatives from the
outset and throughout the life cycles of services and applications.
Another indicator of an effective culture is whether management and
employees are held accountable for complying with the institution's
information security program.