In order for an enterprise to be capable of implementing an efficient security governance scheme, the following pre-requisites must be met.

• >Security is here to satisfy business needs, thus business lines should be able to dynamically express their needs in terms of security. This could go from process mapping to asset localization and classification. Needless to say that these schemes are "living" schemes, thus a clear updating process should be implemented.
• >A Risk is constituted whenever a threat agent (whether human, natural or automated) circumvents already implemented security measures (as defined in the different streams) and successfully exploits a given vulnerability (that could be spotted via audits, penetration tests, internal control procedures, etc.). Thus, it is important to identify threat categories that may lead to operational loss as defined in the seven categories of Basel II and to be capable of simulating all possible scenarios that may induce such a loss.
• >Whenever a security expectation gap is noticed, i.e. whenever a business need in terms of security is not met, a security action plan should be drafted in order to correct the technical, organizational or human vulnerability whose exploitation generated this gap.

This methodology is naturally compliant with the Information Security Management System (ISMS) as defined by the ISO 27001:2005 (international requirements standard for information security).

A specific attention should however be brought to the language that is being used during the different steps of this ISMS scheme. It is crucial that the different risk analysis modules (i.e the asset classification module, the threat identification module, the vulnerability discovery module and the business impact analysis module) speak the same language and use a shared scoring system such as the CIA triumvirate (Confidentiality, Integrity, Availability) + Auditability.

Such living information should be dynamically stored, processed and updated. Thus a packaged interactive interface would be the most suited for proper governance that builds its security roadmaps upon reliable and efficient dashboards as required by the Basel II committee.

Thus, it would be possible for compliance officers and permanent controllers to aggregate and analyze large sets of data, hence be able to derive prioritization criteria (i.e. for selecting the top 10 applications that will benefit from short-term security roadmaps).