Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

ERP implementation methodologies and frameworks: a literature review

Enterprise Resource Planning (ERP) implementation is a complex and vibrant process, one that involves a combination of technological and organizational interactions. Often an ERP implementation project is the single largest IT project that an organization has ever launched and requires a mutual fit of system and organization. Also the concept of an ERP implementation supporting business processes across many different departments is not a generic, rigid and uniform concept and depends on variety of factors. As a result, the issues addressing the ERP implementation process have been one of the major concerns in industry. Therefore ERP implementation receives attention from practitioners and scholars and both, business as well as academic literature is abundant and not always very conclusive or coherent. However, research on ERP systems so far has been mainly focused on diffusion, use and impact issues. Less attention has been given to the methods used during the configuration and the implementation of ERP systems, even though they are commonly used in practice, they still remain largely unexplored and undocumented in Information Systems research. So, the academic relevance of this research is the contribution to the existing body of scientific knowledge. An annotated brief literature review is done in order to evaluate the current state of the existing academic literature. The purpose is to present a systematic overview of relevant ERP implementation methodologies and frameworks as a desire for achieving a better taxonomy of ERP implementation methodologies. This paper is useful to researchers who are interested in ERP implementation methodologies and frameworks. Results will serve as an input for a classification of the existing ERP implementation methodologies and frameworks. Also, this paper aims also at the professional ERP community involved in the process of ERP implementation by promoting a better understanding of ERP implementation methodologies and frameworks, its variety and history

Correlating Architecture Maturity and Enterprise Systems Usage Maturity to Improve Business/IT Alignment

This paper compares concepts of maturity models in the areas of Enterprise Architecture and Enterprise Systems Usage. We investigate whether these concepts correlate, overlap and explain each other. The two maturity models are applied in a case study. We conclude that although it is possible to fully relate constructs from both kinds of models, having a mature architecture function in a company does not imply a high Enterprise Systems Usage maturity

IT process architectures for enterprises development: A survey from a maturity model perspective

During the last years much has been published about IT governance. Close to the success of many governance efforts are the business frameworks, quality models, and technology standards that help enterprises improve processes, customer service, quality of products, and control. In this paper we i) survey existing frameworks, namely ITIL, ASL and BiSL, ii) find relations with the IT Governance framework CobiT to determine if the maturity model of CobiT can be used by ITIL, ASL and BiSL, and (iii) provide an integrated vista of IT processes viewed from a maturity model perspective. This perspective can help us understand the importance of maturity models for increasing the efficiency of IT processes for enterprises development and business-IT alignment

The Role of Boards in Reviewing Information Technology Governance (ITG) as Part of Organizational Control Environment Assessments

IT Governance (ITG) is an important topic as US companies must now monitor ITG under the provisions of the Sarbanes-Oxley Act (2002) (Hoffmann, 2003). Trites (2003) indicates that directors are responsible for strategic planning, internal control structures and business risk. The control environment is defined in Australian Auditing Standard AUS 402 to mean "the overall attitude, awareness and actions of management regarding internal control and its importance to the entity". This paper contributes to the knowledge of ITG by forming an integrated ITG Literature (IIL) which links prior research to four key dimensions of ITG. The paper presents a review of literature on ITG performance measurement systems which assess the ability of organizations to achieve these four ITG dimensions. A revised ITG Dimensions Model offered for consideration. The final contribution of the paper is to propose critical issues Boards should consider as part of their assessment of organizational control environments

A framework and tool to manage Cloud Computing service quality

Cloud Computing has generated considerable interest in both companies specialized in Information and Communication Technology and business context in general. The Sourcing Capability Maturity Model for service (e-SCM) is a capability model for offshore outsourcing services between clients and providers that offers appropriate strategies to enhance Cloud Computing implementation. It intends to achieve the required quality of service and develop an effective working relationship between clients and providers. Moreover, quality evaluation framework is a framework to control the quality of any product and/or process. It offers a tool support that can generate software artifacts to manage any type of product and service efficiently and effectively. Thus, the aim of this paper was to make this framework and tool support available to manage Cloud Computing service quality between clients and providers by means of e-SCM.Ministerio de Ciencia e Innovación TIN2013-46928-C3-3-RJunta de Andalucía TIC-578

Interoperability, Trust Based Information Sharing Protocol and Security: Digital Government Key Issues

Improved interoperability between public and private organizations is of key significance to make digital government newest triumphant. Digital Government interoperability, information sharing protocol and security are measured the key issue for achieving a refined stage of digital government. Flawless interoperability is essential to share the information between diverse and merely dispersed organisations in several network environments by using computer based tools. Digital government must ensure security for its information systems, including computers and networks for providing better service to the citizens. Governments around the world are increasingly revolving to information sharing and integration for solving problems in programs and policy areas. Evils of global worry such as syndrome discovery and manage, terror campaign, immigration and border control, prohibited drug trafficking, and more demand information sharing, harmonization and cooperation amid government agencies within a country and across national borders. A number of daunting challenges survive to the progress of an efficient information sharing protocol. A secure and trusted information-sharing protocol is required to enable users to interact and share information easily and perfectly across many diverse networks and databases globally.Comment: 20 page

An Aggregated Information Technology Checklist for Operational Risk Management

This study addresses the issue of the Information Technology (IT) Governance frameworks and standards that respond to different levels of operational risks, especially those caused by the information systems and technology infrastructure. A requirement analysis regarding Basel II is conducted, a gap analysis between the Information Control Models (ICMs) is performed, and the aggregated IT checklist for Operational Risk Management (ORM) is proposed by mapping the control objectives in ICMs to the operational risk categories described in Basel II as loss event types. The validity and reliability of the study is based on the focus group assessment of the mappingsBasel II, Operational Risk Management, Information Control Model, Information Technology Governance.

Auditing IT Governance

Effective IT governance helps ensure that IT supports business goals, optimizes business investment in IT, and appropriately manages IT-related risks and opportunities. Organizations that realize the IT is no longer a support process and embeds value and risks need a structured approach for better managing Information Technology, enable its capability to deliver added value enterprise wide and for setting up a risk management program to address new risks arising for usage of IT in business processes. In order to assess if IT Governance is in line with industry practices, IT Auditors need a good understanding of processes and applicable standards, particular audit work programs and experience in assessing potential problem indicators.IT Governance, Audit, ISACA, CGEIT, Val IT, Value Governance, Portfolio Management, Investment Management