The complex issue of IS security involves organizational factors. Decision making, an important area of organizations, however, has only been studied to a limited extent in relation to IS security. In this paper we explore the relationship between organizational distribution of decision rights and IS security. We review the security literature and identify three aspects of an organization as what we term the pillars bolstering the success of IS security – people, processes/structures, and technology. We top our IS Security Architecture with the integrative truss of IS security strategy. Employing Weill and Ross’ (2004) IT governance archetypes, we link this IS Security Architecture to IT governance, and propose that IT governance patterns can enhance security when the governance archetype in place matches the decision profile required by a security practice.