Information security is a critical aspect of information systems usage in current organizations. Often relegated to the IT staff, it is in fact the responsibility of senior management to assure the secure use and operation of information assets. Most managers recognize that governance is the responsibility of executive management. The primary objective of governance can be achieved when the members of an organization know what to do, how it should be done, as well as who should do it. The focus on governance has expanded to include more aspects of the organizational hierarchy to include information systems and information security. This article offers value to the executive by first defining governance as it is applied to information security and exploring three specific governance-related topics. The first of these examines how governance can be applied to the critical aspect of planning both for normal and contingency operations. The next topic describes the need for measurement programs and how such metrics can be developed for information security assessment and continuous improvement. Finally, aspects of effective communication among and between general and information security managers is presented.