Information Security Management's primary function is to ensure that the risks that may lead to unauthorized alteration or disclosure of information does not exceed an acceptable level.

Mechanisms that we use to achieve that acceptable level consist mainly of controls that can roughly be grouped in policy and technology. Setting the level at which risk is acceptable is not the responsibility of the information security manager.

Information Security Management's responsibility includes ensuring that users can be aware of the policies that are in place, and that they know how to use information security technology.

To ensure that policies are followed, and that technology is used properly, information security management also includes the responsibility for preventing, detecting, and investigating breaches of policy, or threats against the technology used to manipulate information.