is trustworthy, then we often see that no one person is genuinely
            liable.
            The  recent  past  has  been  littered  with  examples  of  a  lack  of
            accountability  and  governance.  Many  organizations  have
            committed  fraud,  failed  to  protect  assets  adequately,  and
            disclosed    personally    identifiable   information     (PII)
            inappropriately.  Several  countries  have  passed  legislation,  and
            industries  have  developed  standards  in  an  attempt  to  increase
            accountability and personal ownership, for compliance with laws,
            acceptable standards, and best practices. These laws have various
            levels  of  effectiveness  and  often  introduce  a  high  cost  to  the
            organizations affected. A core principle required to protect the
            assets of the organization is to define the roles and responsibilities
            for the oversight and management of the security program.

            The ultimate authority and accountability for the governance of
            the organization is the senior management team and the board of
            directors. They are responsible and accountable for ensuring that
            the organization follows the law, behaves ethically, and defines
            the level of adequate protection of the assets of the organization
            and levels of risk acceptance.  Many of these principles (ethics,
            law, compliance, etc.) will be examined in more detail later in this
            book.