The IT Law Wiki



Governance is

a group of policies, decision-making procedures, and management processes that work together to enable the effective planning and oversight of activities and resources.[1]
[t]he use of institutions, statutes of authority, and collaboration to allocate resources and coordinate or control activity within a project, program, or portfolio.[2]
the set of responsibilities and practices exercised by those responsible for an organization (e.g., the board of directors and executive management in a corporation, the head of a federal agency) with the express goal of: (i) providing strategic direction; (ii) ensuring that organizational mission and business objectives are achieved; (iii) ascertaining that risks are managed appropriately; and (iv) verifying that the organization’s resources are used responsibly. Risks and resources can be associated with different organizational sectors (e.g., legal, finance, information technology, regulatory compliance, information security).[3]

Computer security[]

Governance is

the setting of clear expectations for the conduct (behaviors and actions) of the entity being governed and directing, controlling, and strongly influencing the entity to achieve these expectations. Governance includes specifying a framework for decision-making, with assigned decision rights and accountability, intended to consistently produce desired behaviors and actions.[4]


Governance is

[t]he state's ability to serve the citizens through the rules, processes, and behavior by which interests are articulated, resources are managed, and power is exercised in a society, including the representative participatory decision-making processes typically guaranteed under inclusive, constitutional authority.[5]

"Governance is a broad term that can include a number of factors. At the federal level, governance is closely associated with evaluation of existing programs and the management of federal expenditures, including grants. A number of federal agencies have roles in guiding and monitoring some decisions of states and localities through grant administration."[6]


Different sectors require specialized expertise in order to manage the risks associated with that sector. Thus, governance within organizations frequently is organized by sector. The five outcomes of governance related to organization-wide risk management are:

  • Strategic alignment of risk management decisions with missions and business functions consistent with organizational goals and objectives;
  • Execution of risk management processes to frame, assess, respond to, and monitor risk to organizational operations and assets, individuals, other organizations, and the Nation;
  • Effective and efficient allocation of risk management resources;
  • Performance-based outcomes by measuring, monitoring, and reporting risk management metrics to ensure that organizational objectives are achieved; and
  • Delivered value by optimizing risk management investments in support of organizational objectives.[7]


  1. The Common Approach to Federal Enterprise Architecture, at 46 (Terms and Definitions).
  2. California Office of Systems Integration, Definitions (full-text).
  3. NIST Special Publication 800-39, at 11.
  4. Cybersecurity Assessment Tool, App. C: Glossary (full-text).
  5. U.S. Department of Defense, Joint Pub. 1–02: DOD Dictionary of Military and Associated Terms (Nov. 8, 2010, as amended through May 15, 2011) (full-text).
  6. A National Plan for Migrating to IP-Enabled 9-1-1 Systems, at 5.
  7. NIST Special Publication 800-39, at 11.

See also[]