The Corporate Information Security Working Group (CISWG) was originally convened in November 2003 by Representative Adam Putnam (R-FL). The Best Practices team surveyed available information security guidance. It concluded in its March 2004 report that much of this guidance is expressed at a relatively high level of abstraction and is therefore not immediately useful as actionable guidance without significant and often costly elaboration. In a subsequent phase convened in June 2004, the Best Practices and Metrics teams was charged with refining Information Security Program Elements and developing recommended Metrics supporting each of the elements. This report is the result of that effort and represents a resource that will help Board members, managers, and technical staff establish their own comprehensive structure of principles, policies, processes, controls, and performance metrics to support the people, process, and technology aspects of information security.