A Framework for the Governance of Information Security: Can it be Used in an Organization

The purpose of this research paper was to test the validity of the research Information Security Governance Framework developed by Posthumus and Solms (2004) seminal research paper for its consistency and adequacy in covering the major aspects of Information Security Governance and in turn to understand the influences that different factors might have in inhibiting effective Information Security Governance in organizations. An interpretive qualitative small pilot case study was conducted in an organization in North America using open ended questions and face to face interviews or teleconferences with senior level management. With reported information security breaches, compromises and incidents in organizations on the increase, effective Information Security Governance is expected to become a major issue in organizations. Thus, information security should be a priority of executive management, including the Board of Directors and Chief Executive Officer and therefore commence as a corporate governance responsibility. Within many organizations an important barrier to effective information security is the lack of framework for action, inclusion and integration into governance. In addition, information security can no longer be viewed as just a technical issue and to be left to the Information Technology department to handle. Rather, it is a Corporate Governance issue that must be addressed by CEOs and Boards of Directors, then implemented and enforced across all levels of the organization. The global revolution in governance regulation, brought about by high-profile corporate scandals and failures of the past decade, is impacting most companies. As a result of these scandals and failures complex laws and regulations have been implemented to force improvement in governance, information security and organizational transparency. These corporate scandals and failures, coupled with legislation such as Sarbanes-Oxley, California SB 1386, Gramm-Leach-Bliley (GLBA), and Health Insurance Portability and Accountability Act (HIPAA), have prompted shareholders to demand better accountability from public firms. Accordingly, the information security governance has become a legitimate high-level concern and responsibility of the board of directors, executive management and senior IT management. Ensuring proper Information Security Management is one of the critical functions of good corporate governance in organizations. Properly governed, information security takes the larger view that the organization's information - and the knowledge based on it - must be adequately protected regardless of how it is handled, processed, transported or stored. It addresses the business risks, benefits and processes involved with all information resources. Information security, as with other critical organizational resources, must be addressed at the enterprise governance level.

[1]  Antonio Carlos Gastaud Maçada,et al.  The Financial Impact of IT Governance Mechanisms' Adoption: An Empirical Analysis with Brazilian Firms , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[2]  Robert W. Zmud,et al.  Research Commentary: The Organizing Logic for an Enterprise's IT Activities in the Digital Era - A Prognosis of Practice and a Call for Research , 2000, Inf. Syst. Res..

[3]  Mathias Ekstedt,et al.  Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture , 2014, Comput. Secur..

[4]  Sean B. Maynard,et al.  Organisational Information Security Strategy: Review, Discussion and Future Research , 2017, Australas. J. Inf. Syst..

[5]  Sebastiaan H. von Solms,et al.  Information Security - The Fourth Wave , 2006, Comput. Secur..

[6]  Jan H. P. Eloff,et al.  A comparative framework for risk analysis methods , 1993, Comput. Secur..

[7]  Mario Piattini,et al.  IT Security Governance Innovations: Theory and Research , 2012 .

[8]  Jan H. P. Eloff,et al.  An Information Security Governance Framework , 2007, Inf. Syst. Manag..

[9]  Marian Carcary,et al.  A Framework for Information Security Governance and Management , 2016, IT Professional.

[10]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[11]  William Brown,et al.  Sarbanes—Oxley and Enterprise Security: IT Governance — What It Takes to Get the Job Done , 2005, Inf. Secur. J. A Glob. Perspect..

[12]  Sebastiaan H. von Solms,et al.  Information Security Governance - Compliance management vs operational management , 2005, Comput. Secur..

[13]  Robert W. Zmud,et al.  Special Issue on Redefining the Organizational Roles of Information Technology in the Information Age , 2003, MIS Q..

[14]  Sebastiaan H. von Solms,et al.  Corporate Governance and Information Security , 2001, Comput. Secur..

[15]  Sean B. Maynard,et al.  Information Security Governance: A Case Study of the Strategic Context of Information Security , 2017, PACIS.

[16]  A. B. Ruighaver,et al.  Information Security Governance: When Compliance Becomes More Important than Security , 2010, SEC.

[17]  Vallabh Sambamurthy,et al.  Principles and Models for Organizing the IT Function , 2002, MIS Q. Executive.

[18]  Gurpreet Dhillon,et al.  A Theoretical Basis for Defining Internal Control Objectives for Information Systems Security , 2007, AMCIS.

[19]  Rossouw von Solms,et al.  A framework for the governance of information security , 2004, Comput. Secur..

[20]  E. Luciano,et al.  Information technology governance in public organizations: Identifying mechanisms that meet its goals while respecting principles , 2017 .

[21]  Rossouw von Solms,et al.  Information Security Governance: A model based on the Direct-Control Cycle , 2006, Comput. Secur..