Information Security Governance Framework in Public Cloud a Case in Low Resource Economies in Uganda

The study aimed at exploring the critical enablers to the development and usage of information security governance frameworks for cloud computing in Uganda. The study was motivated by the continuous information security governance challenges in the Public Cloud.  The theoretical frameworks that underpinned this study included; Contingency management theory,  the Risk Management framework, the Technological Organisational and Environmental (TOE) model and the Information Security Governance model.  This study adopted a quantitative research approach to obtain data through a survey. Five key factors for information security governance were identified: a) Technological factors: flexibility, scalability, availability, agility, data protection governance, trust of cloud, data source, maintenance, data retention and policy.  b) Organisation: size and structure of the organisation, top management support. c) Environmental factors: governance and regulation, marketing, vendor, resource availability, obsoleteness.  d) Individual: user resistance, attitude, skills, belief and learnability. e) Risk management and control factors: risk assessment, disaster recovery, access and authorisation control, monitoring, auditing, and process risk control. The study contributes to theory and practice in information security. The developed framework and its accompanying model helped to inform public departments, organisational top management and information security strategies to avoid excessive information risks and potential regulatory compliance failures in public cloud. The study was inclined on subjective information security, which alone may not fully address all information security problems in a public cloud. Therefore, it is recommendable that future research studies on objective security in public clou

Information Security Governance Framework in Public Cloud a Case in Low Resource Economies in Uganda

The study aimed at exploring the critical enablers to the development and usage of information security governance frameworks for cloud computing in Uganda. The study was motivated by the continuous information security governance challenges in the Public Cloud. The theoretical frameworks that underpinned this study included; Contingency management theory, the Risk Management framework, the Technological Organisational and Environmental (TOE) model and the Information Security Governance model. This study adopted a quantitative research approach to obtain data through a survey. Five key factors for information security governance were identified: a) Technological factors: flexibility, scalability, availability, agility, data protection governance, trust of cloud, data source, maintenance, data retention and policy. b) Organisation: size and structure of the organisation, top management support. c) Environmental factors: governance and regulation, marketing, vendor, resource availability, obsoleteness. d) Individual: user resistance, attitude, skills, belief and learnability. e) Risk management and control factors: risk assessment, disaster recovery, access and authorisation control, monitoring, auditing, and process risk control. The study contributes to theory and practice in information security. The developed framework and its accompanying model helped to inform public departments, organisational top management and information security strategies to avoid excessive information risks and potential regulatory compliance failures in public cloud. The study was inclined on subjective information security, which alone may not fully address all information security problems in a public cloud. Therefore, it is recommendable that future research studies on objective security in public cloud

Developing And Validating A Healthcare Information Security Governance Framework

General medical practices\u27 in Australia are vulnerable to information security threats and insecure practices. It is well accepted in the healthcare environment that information security is both a technical and a human endeavour, and that the human behaviours, particularly around integration with healthcare workflow, are key barriers to good information security practice. The Royal Australian College of General Practitioner\u27s (RACGP) Computer and Information Security Standards (CISS) 2013 are the best practice standards for general practices, against which information security is assessed during practice accreditation. With the release of ISO/IEC 27014:2013 Information technology - Security techniques - Governance of information security in May 2013, it is this governance component of information security that is insufficiently addressed within General Practice at present. This paper documents the development and validation of an information security governance framework for use within general medical practice. The aim of the proposed Information Security Governance Framework is to extend current best practice information security management to include information security governance

Impact of Knowledge Management on Security of Information and its Strategic Outcomes

Security of Information plays an important role in the progress of any organization. This research finds out that Information Security can be achieved through proper Knowledge Management in organizations especially in Telecommunication Sector. Not only the literature supports the theme of the research but it was also proved by the analysis and results of the respondents responses. Knowledge Management was found to have positive and significant influence over Security of Information. A framework was also developed for studying the relationship among Knowledge Management, Security of Information, Information Governance, Information Risk Management and Safety to Organizational Knowledge; which was tested through correlation and regression. Though the research was carried out in Telecommunication Sector organizations, yet it is equally valuable for and implementable in any other sector. Keywords: Knowledge Management (KM), Information Governance (IG), Information Risk Management (IRM), Safety to Organizational Knowledge (SOK)

Enhancing the governance of information security in developing countries: the case of Zanzibar

A thesis submitted to the University of Bedfordshire, in partial fulfilment of the requirements of the degree of Doctor of PhilosophyOrganisations in the developing countries need to protect their information assets (IA) in an optimal way. This thesis is based upon the argument that in order to achieve fully effective information security management (ISM) strategy, it is essential to look at information security in a socio-technical context, i.e. the cultural, ethical, moral, legal dimensions, tools, devices and techniques. The motivation for this study originated from the concern of social chaos, which results from ineffective information security practices in organisations in the developing nations. The present strategies were developed for organisations in countries where culture is different to culture of the developing world. Culture has been pointed out as an important factor of human behaviour. This research is trying to enhance information security culture in the context of Zanzibar by integrating both social and technical issues. The theoretical foundation for this research is based on cultural theories and the theory of semiotics. In particular, the study utilised the GLOBE Project (House et al, 2004), Competing Values Framework (Quinn and Cameron; 1983) and Semiotic Framework (Liu, 2000). These studies guide the cultural study and the semiotics study. The research seeks to better understand how culture impact the governance of information security and develop a framework that enhances the governance of information security in non-profit organisations. ISO/IEC 27002 best practices in information security management provided technical guidance in this work. The major findings include lack of benchmarking in the governance of information security. Cultural issues impact the governance of information security. Drawing the evidence from the case study a framework for information security culture was proposed. In addition, a novel process model for information security analysis based on semiotics was developed. The process model and the framework integrated both social and technical issues and could be implemented in any non-profit organisation operating within a societal context with similar cultural feature as Zanzibar. The framework was evaluated using this process model developed in this research. The evaluated framework provides opportunities for future research in this area

The recognition and application of security risk management in corporate governance

Security as a profession and discipline has emerged principally in the later half of the twentieth century and has developed to become a more defined, usual, respectable and visual part of management. This study aimed to determine the degree of recognition and application of security risk management to corporate governance practices in Australia. Formal research design used descriptive research methodology, consisting of a literature review, primary document analysis and a questionnaire survey to collect data. This research was contrasted to a Corporate Governance Security Model formulated to determine if the model is applicable to the recognition, or application, of a security function to the Australian Stock Exchange (\u27ASX\u27) Corporate Governance principles. A major finding of this study is that security functions and responsibilities are poorly recognised and documented by Australia\u27s largest public company boards. A majority of directors will have no experience or qualifications in security risk management and this is likely to be reflected down through the organisation resulting in low to medium security awareness and culture. Corporate governance statements from companies listed on the ASX/S&P 200 strongly suggests that security related risks are not widely considered as part of the corporate governance framework. With limited application of security in the corporate governance framework, there is less focus on security related behaviour within the codes of conduct held by a majority of public companies. This can have an adverse impact on corporate ethics, internal controls and crisis response capabilities. The study developed a model which implements security risk management functions to the corporate governance framework in order to formally recognise and promote effective management of security risk and compliance. Applying security as a business process to support long term revenue was found to benefit corporate reputation and compliments other risk and business management practices. Security of information and confidentiality is enhanced to encourage reports of misconduct within the company, generating a security and reporting culture. Security functions are currently limited to form part of internal controls within the operating environment and generally viewed as a cost centre which does not contribute to revenue. Security functions are not holistically applied across the organisation or within the corporate governance framework. There are a number of recommendations resulting from the study and are primarily concerned with the continued need for research into the application and recognition of security within the hierarchy of executive and business management

Electronic security - risk mitigation in financial transactions : public policy issues

This paper builds on a previous series of papers (see Claessens, Glaessner, and Klingebiel, 2001, 2002) that identified electronic security as a key component to the delivery of electronic finance benefits. This paper and its technical annexes (available separately at http://www1.worldbank.org/finance/) identify and discuss seven key pillars necessary to fostering a secure electronic environment. Hence, it is intended for those formulating broad policies in the area of electronic security and those working with financial services providers (for example, executives and management). The detailed annexes of this paper are especially relevant for chief information and security officers responsible for establishing layered security. First, this paper provides definitions of electronic finance and electronic security and explains why these issues deserve attention. Next, it presents a picture of the burgeoning global electronic security industry. Then it develops a risk-management framework for understanding the risks and tradeoffs inherent in the electronic security infrastructure. It also provides examples of tradeoffs that may arise with respect to technological innovation, privacy, quality of service, and security in designing an electronic security policy framework. Finally, it outlines issues in seven interrelated areas that often need attention in building an adequate electronic security infrastructure. These are: 1) The legal framework and enforcement. 2) Electronic security of payment systems. 3) Supervision and prevention challenges. 4) The role of private insurance as an essential monitoring mechanism. 5) Certification, standards, and the role of the public and private sectors. 6) Improving the accuracy of information on electronic security incidents and creating better arrangements for sharing this information. 7) Improving overall education on these issues as a key to enhancing prevention.Knowledge Economy,Labor Policies,International Terrorism&Counterterrorism,Payment Systems&Infrastructure,Banks&Banking Reform,Education for the Knowledge Economy,Knowledge Economy,Banks&Banking Reform,International Terrorism&Counterterrorism,Governance Indicators

IT GOVERNANCE FRAMEWORK: ONE SIZE FITS ALL?

Most of the IT governance frameworks address information systems management in the corporate settings that support top-down management. However, this neglects some organizational settings in favor of bottom-up approach, such as, higher education. To close the gap, this study compares the management styles and organizational practices between higher education and banking industry to reveal the underlying factors that drive organizational security norms in both industries. The results reveal that higher education operates in an open environment that supports employee’s participation for policy compliance. On the other hand, top-down management enforces policies and facilitates employee’s participation for information security safeguard in the banking industry. Accordingly, this study suggests that a new paradigm of IT Governance framework (ITG) is necessary for addressing the unique culture of higher education. Additionally, IT governance can operate in a decentralized mode in the banking industry for encouraging employee’s participation in support of information policy compliance

Incorporating the COBIT Framework for IT Governance in Accounting Education

The Control Objectives for Information and related Technology (COBIT) is a framework of generally applicable IS security and control practices for information technology control systems. This framework is widely accepted by the profession and allows management to benchmark the security and control practices of the IT environment. One of COBIT’s significant components is the Maturity Model that enables management to evaluate and determine where on the internal control spectrum their controls are currently located. The current study aims to identify the discrepancy in the adoption of COBIT by academics and practitioners. The research includes an empirical study to test the faculty perception of the Maturity Model through measuring the accounting information system faculty’s opinion of the model components. The empirical results revealed that there is a disparity on the perceived value of the COBIT Maturity Model. The study indicates the necessity to reexamine the accounting curriculum to incorporate a significant IT governance discipline. It pointed out the discrepancy between the accounting academic programs and the accounting professional practices regarding the use of the COBIT framework for IT governance