This document provides guidance on integrating IT security and IT Investment Management processes. Applying funding towards high-priority security investments supports the objective of maintaining appropriate security controls, both at the enterprise-wide and system level, commensurate with levels of risk and data sensitivity. This paper introduces common criteria against which managers can prioritize security activities to ensure that corrective actions are incorporated into the capital planning process to deliver maximum security in a cost-effective manner. (70 Pages)
The document has been written for the federal government but the lessons can be adapted for commercial applications.
