Organizations worldwide are increasing their information security initiatives to keep pace with the highly complex and dynamically changing operating environments. With mounting regulations, risk mitigation, and critical information protection pressures, they focus on IT governance. Using a case study methodology, this research in progress introduces an interdisciplinary common governance framework to information security policy, an important internal governance control. The Institutional Analysis and Development (IAD) framework is part of Nobel Prize-winning work in economics and is recognized as one of the most comprehensive tools for both design and analysis of policy interventions.