Information Security Governance – Constraints


There are many different security policy constraints to consider when defining and implementing information security policies. The most important ones are legal requirements and regulatory requirements, physical constraints, and organizational structure. In this article, we will summarize these constraints and discuss their impact on developing an effective information security governance framework.

Legal and regulatory requirements are constraints that must be taken into account when defining information security policies.

You must take into account legal requirements and regulatory requirements when defining information security policies.

The Sarbanes-Oxley (SOX) Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations. The Act requires that, among other things, the corporation’s internal controls over financial reporting must be assessed by an independent public accounting firm. The law was passed in response to a series of major corporate and accounting scandals, such as Enron and WorldCom.

Physical constraints represent the facilities where information systems are located, such as the power supply, physical security, connectivity, network features, etc.

It is important to understand that these physical constraints can limit the effectiveness of information security policies. For example, if an organization decides to implement a policy that requires its employees to use encrypted communication channels for all sensitive data transmissions, but its offices are located in a country with strong regulations prohibiting encryption technology, then the organization will be limited in its ability to enforce this policy.

Similarly, if an organization decides to store sensitive personal data on servers located in one location while maintaining their other servers and databases at another location without sufficient protection against unauthorized access from both locations (e.g., through firewalls), then this could result in increased exposure of sensitive personal data as well as weaken overall network security due to lack of proper segmentation between different segments (i.e., between enterprise systems and public networks).

Other constraints may relate to company image, organizational structure, or costs in general.

Other constraints may relate to company image, organizational structure, or costs in general.

  • Company image – Security programs and policies should be integrated into the overall corporate strategy and business plan. This means that information security must support the overall direction of the organization and its goals, including profitability, market share, reputation, etc.
  • Organizational structure – The governance structure for information security should reflect your organization’s management approach and processes. For example: is there one department responsible for this? Are there multiple departments working together? Are some areas more heavily regulated than others? Is there a compliance requirement related to data retention/destruction?

The risk tolerance determines the company’s risk acceptance, which expresses the maximum level of risk the organization is willing to accept.

Risk tolerance measures how much risk an organization is willing to accept. It’s a function of the company’s risk acceptance and can be determined by the board of directors or other governing bodies.

There are many different security policy constraints to consider.

There are many different security policy constraints to consider when developing an effective governance strategy. For example, legal and regulatory requirements often need to be considered when creating a security policy. Physical constraints may also apply, such as the physical location of your data or servers. Your company’s image is another consideration that needs to be taken into account when developing a security policy because having a bad reputation could lead customers and investors away from your company. Organizational structure can also play an important role in determining how you implement certain policies at your organization and what kind of support staff you have access to (e.g., IT or HR). Costs are another constraint because if it costs too much money, then there will be less room for mistakes during implementation, which would ultimately hurt overall efficiency while reducing employee morale due to limited resources available for training sessions, etcetera.”

In addition to these types of constraints, some other factors that impact organizations include risk acceptance levels within leadership positions and management style preferences among key decision makers involved with making decisions related specifically towards information security governance outside of technical considerations alone.”


In this article, we’ve covered the most important security policy constraints. As you can see, there are many factors to consider when creating an information security policy, which is why it’s so important for companies to have an experienced expert on board who understands all the different aspects.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: