Integration of it governance and security risk management: A systematic literature review

GRC is an umbrella acronym covering the three disciplines of governance, risk management and compliance. In this context, IT GRC is the subset of GRC dealing with IT aspects of GRC. The main challenge of GRC is to have an approach as integrated as possible of the three domains. The objective of our paper is to study one facet of IT GRC: the links and integration between IT governance and risk management that we consider today as the least integrated. To do so, the method followed in this paper is a systematic literature review, in order to identify the existing research works in this field. The resulting contribution of the paper is a set of recommendations established for practitioners and for researchers on how better deal with the integration between IT governance and risk management.

[1]  Paul P. Tallon,et al.  The Information Artifact in IT Governance: Toward a Theory of Information Governance , 2013, J. Manag. Inf. Syst..

[2]  Nicolas Mayer,et al.  An ISO Compliant and Integrated Model for IT GRC (Governance, Risk Management and Compliance) , 2015, EuroSPI.

[3]  Eijiroh Ohki,et al.  Information security governance framework , 2009, WISG '09.

[4]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[5]  Nicolas Racz Governance, Risk and Compliance for Information Systems , 2011 .

[6]  Yajiong Xue,et al.  Information Technology Governance in Information Technology Investment Decision Processes: The Impact of Investment Characteristics, External Environment, and Internal Context , 2008, MIS Q..

[7]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[8]  D. Tranfield,et al.  Towards a Methodology for Developing Evidence-Informed Management Knowledge by Means of Systematic Review , 2003 .

[9]  Elena Karahanna,et al.  Causal Explanation in the Coordinating Process: A Critical Realist Case Study of Federated IT Governance Structures , 2013, MIS Q..

[10]  Isij Monitor,et al.  Information Security Architecture: An Integrated Approach to Security in the Organization , 2000 .

[11]  Daniel M. Yellin,et al.  Using Enterprise Architecture Standards in Managing Information Technology , 2006, J. Manag. Inf. Syst..

[12]  Jan H. P. Eloff,et al.  Information security architecture , 2005 .

[13]  Sebastian K. Boell,et al.  On being ‘systematic’ in literature reviews in IS , 2015, J. Inf. Technol..

[14]  Min-Seok Pang,et al.  IT governance and business value in the public sector organizations - The role of elected representatives in IT governance and its impact on IT value in U.S. state governments , 2014, Decis. Support Syst..

[15]  Edgar R. Weippl,et al.  A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC) , 2010, Communications and Multimedia Security.

[16]  Amrit Tiwana,et al.  Complementarities Between Organizational IT Architecture and Governance Structure , 2010, Inf. Syst. Res..

[17]  Emilio Paolucci,et al.  Assessing the strategic value of Information Technology: An analysis on the insurance sector , 2007, Inf. Manag..