By way of brief background, NIST organizes cybersecurity risk management into five high-level functions: Identify, Protect, Detect, Respond and Recover. Placed within the Identify function is a category called Governance. NIST defines governance broadly to refer to an organization’s ability to inform its security approach based on its “regulatory, legal, risk, environmental, and operational requirements,” and to manage those efforts through appropriate policies, procedures and processes.
Ultimately, good governance should translate into your organization having high confidence that the following four principles hold true: