We hosted a webinar this past Thursday featuring Bill Billings. Bill is currently the CISO and VP of Federal at Blackridge Technology, before Blackridge Bill was the CISO of Microsoft's Federal business unit. Needless, to say the guy understands security and SharePoint.
Bill talked about information governance with an emphasis on including SharePoint into an information security program. One of the attendees asked Bill for his thoughts on the best place start. The term "governance" is abused by a lot of vendors and I think the person that asked this question was having problems sorting through the hype.
Bill's guidance was to manage baseline information security in accordance with ISO 27001 and then handle specific compliance gaps (e.g. PCI DSS, HIPAA) as you identify them. Bill also mentioned NIST 800-53. I thought it would be useful to post links here to both of those sournces. I found Appendix D of the NIST document to be interesting and comprehensive.