An Optimized Dynamic Process Model of IS Security Governance Implementation

The year 2011 has witnessed a lot of high profiles data breaches despite the availability of IS security and governance controls, frameworks, standards and models for organisations to choose from; and the technical advances made in intrusion prevention and detection. Taking this issue into account the objective of this paper is to identify and analyse the weaknesses in the IS security defences of organisations from a holistic perspective, and propose a dynamic IS security governance process model for the implementation of appropriate controls and mechanisms for optimised IS security. Optimization is achieved through the strategic overlap of security and governance frameworks implemented in a prioritized phased manner for efficiency and effectiveness in cost, time and effort. The paper starts with the analysis of data breaches to identify the weaknesses in the organisational information system. This is followed by the analysis of recommended requirements and dimensions of effective IS security architecture, IS governance, concepts and models to identify relevant frameworks used in IS security and governance. Thereafter, the best practices for implementing the model is evaluated and finally the frameworks and IS entities are integrated into an optimized Information Systems Security and Governance (ISSG) process model.

[1]  Jerry N. Luftman,et al.  Transforming the Enterprise: The Alignment of Business and Information Technology Strategies , 1993, IBM Syst. J..

[2]  Steven De Haes,et al.  Enterprise Governance of Information Technology , 2019, Management for Professionals.

[3]  Ahmad Abu-Musa Information security governance in Saudi organizations: an empirical study , 2010, Inf. Manag. Comput. Secur..

[4]  Robert W. Zmud,et al.  Arrangements for Information Technology Governance: A Theory of Multiple Contingencies , 1999, MIS Q..

[5]  Jerry N. Luftman,et al.  Achieving and Sustaining Business-IT Alignment , 1999 .

[6]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[7]  R. Kelly Rainer,et al.  The Top Information Security Issues Facing Organizations: What Can Government Do to Help? , 2006, Inf. Secur. J. A Glob. Perspect..

[8]  Susan Young,et al.  Anatomy of an Attack , 2003 .

[9]  Mark A. Toleman,et al.  Implementing it Service Management: A Case Study Focussing on Critical Success Factors , 2009, J. Comput. Inf. Syst..

[10]  Jackie Rees Ulmer,et al.  Management of Information Security: Challenges and Research Directions , 2007, Commun. Assoc. Inf. Syst..

[11]  Rossouw von Solms,et al.  Information security culture: A management perspective , 2010, Comput. Secur..

[12]  Isaca The Risk IT Framework , 2009 .

[13]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[14]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[15]  Constantine Gikas,et al.  A General Comparison of FISMA, HIPAA, ISO 27000 and PCI-DSS Standards , 2010, Inf. Secur. J. A Glob. Perspect..

[16]  Vanesa Gil Laredo PCI DSS compliance: a matter of strategy , 2008 .

[17]  Jan H. P. Eloff,et al.  Information security architecture , 2005 .

[18]  George L Stefanek Anatomy of an attack , 2002 .

[19]  Chris Sundt,et al.  Information security and the law , 2006, Inf. Secur. Tech. Rep..

[20]  Julia S. Cheney Heartland Payment Systems: Lessons Learned from a Data Breach , 2010 .

[21]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[22]  Sushila Madan,et al.  Security Standards Perspective to Fortify Web Database Applications from Code Injection Attacks , 2010, 2010 International Conference on Intelligent Systems, Modelling and Simulation.

[23]  R. Solms,et al.  IT oversight: an important function of corporate governance , 2005 .

[24]  Shamsul Sahibuddin,et al.  Combining ITIL, COBIT and ISO/IEC 27002 in Order to Design a Comprehensive IT Framework in Organizations , 2008, 2008 Second Asia International Conference on Modelling & Simulation (AMS).

[25]  Stephanie Teufel,et al.  Information security culture - from analysis to change , 2003, South Afr. Comput. J..

[26]  Qiang Liu,et al.  IT Control in the Australian Public Sector: An International Comparison , 2005, ECIS.

[27]  Eirik Albrechtsen,et al.  Implementation and effectiveness of organizational information security measures , 2008, Inf. Manag. Comput. Secur..

[28]  Rahul Telang,et al.  Measuring the risk-based value of IT security solutions , 2004, IT Professional.

[29]  Sebastiaan H. von Solms,et al.  Information Security - A Multidimensional Discipline , 2001, Comput. Secur..

[30]  T. Schlienger,et al.  Information security culture - from analysis to change : research article , 2003 .

[31]  Princely Ifinedo,et al.  Information technology security management concerns in global financial services institutions: Is national culture a differentiator? , 2009, Inf. Manag. Comput. Secur..