National Institute of Standards and Technology
In this paper, the authors explain about compliance driven security. It illustrates how a well-structured security governance program with fully developed and implemented policies, plans, and procedures applied in a risk-based approach strengthens an organization's security posture and encourages a cost effective use of resources. The objective of information security programs is to reduce risk to critical data and information systems. They measure the criticality of data by the adverse impact to an organization or its mission that would result from the loss or degradation of their data's confidentiality, integrity, or availability.