The University of SydneyPage 37KGIs, KPIs, CSFsBusiness Process Assurance•No gaps exist in information asset protection--Assurance processes identified--Risk assessments include complete business processesnot restricted to IT•Roles and responsibilities defined with concise interfaces•Authority, Responsibility and Accountability for assurance functions clearly defined•Steering committee includes representatives of all assurance functions, explicit charter, defined responsibilities and authority