The capabilities of an Information Security Program can be described by a Security Service Catalog that is part of a larger catalog that some IT organizations document and publish to the business. These capabilities can be mapped in a way that describes what a business does to reach its objectives and promotes a strong relationship between the business model and the technical security infrastructure that supports the business requirements resulting in a view that can be understood by both the business and IT.