Decision Making, IT Governance, and Information Systems Security

The complex issue of IS security involves organizational factors. Decision making, an important area of organizations, however, has only been studied to a limited extent in relation to IS security. In this paper we explore the relationship between organizational distribution of decision rights and IS security. We review the security literature and identify three aspects of an organization as what we term the pillars bolstering the success of IS security – people, processes/structures, and technology. We top our IS Security Architecture with the integrative truss of IS security strategy. Employing Weill and Ross’ (2004) IT governance archetypes, we link this IS Security Architecture to IT governance, and propose that IT governance patterns can enhance security when the governance archetype in place matches the decision profile required by a security practice

An Exploratory Study of the Approach to Bring Your Own Device (BYOD) in Assuring Information Security

The availability of smart device capabilities, easy to use apps, and collaborative capabilities has increased the expectations for the technology experience of employees. In addition, enterprises are adopting SaaS cloud-based systems that employees can access anytime, anywhere using their personal, mobile device. BYOD could drive an IT evolution for powerful device capabilities and easy to use apps, but only if the information security concerns can be addressed. This research proposed to determine the acceptance rate of BYOD in organizations, the decision making approach, and significant factors that led to the successful adoption of BYOD using the expertise of experienced internal control professionals. The approach and factors leading to the decision to permit the use of BYOD was identified through survey responses, which was distributed to approximately 5,000 members of the Institute for Internal Controls (IIC). The survey participation request was opened by 1,688 potential respondents, and 663 total responses were received for a response rate of 39%. Internal control professionals were targeted by this study to ensure a diverse population of organizations that have implemented or considered implementation of a BYOD program were included. This study provided an understanding of how widely the use of BYOD was permitted in organizations and identified effective approaches that were used in making the decision. In addition, the research identified the factors that were influential in the decision making process. This study also explored the new information security risks introduced by BYOD. The research argued that there were several new risks in the areas of access, compliance, compromise, data protection, and control that affect a company’s willingness to support BYOD. This study identified new information security concerns and risks associated with BYOD and suggested new elements of governance, risk management, and control systems that were necessary to ensure a secure BYOD program. Based on the initial research findings, future research areas were suggested

The governance of basic health coverage: A systematic review

Background: Governance is a concept with multiple meanings. In health coverage systems around the world, there is always an interest in studying governance and measuring its impact on the performance of existing systems and proposing evaluation tools. Objectives: This study aimed to assess the application of governance in health medical coverage systems across the globe by conducting a systematic literature review. Specifically, it looked at whether we can define a standard model of health coverage governance and assess the governance of a country’s medical coverage. Methods: A systematic review of the literature was conducted using Google Scholar in July 2019. We searched studies, published from 2002 to July 2019, on the governance of basic health coverage that were published in English and French. A Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) methodology was followed to conduct systematic reviews. Results: We identified 27 studies that met our inclusion criteria. The governance of basic health coverage is analyzed in all publications that focused on health systems in a particular country or more that one country or looked at the phenomenon globally. A few of the included studies carried out specifications of governance in a health medical coverage context. The World Bank proposes an evaluation framework of the governance of health medical coverage using five main dimensions: coherent decision-making structures, stakeholder participation, transparency and information, supervision and regulation, and consistency and stability. Conclusions: Our systematic review of the governance of basic health coverage showed that few studies have focused on this topic. The difficulty lies in the interaction that exists between basic health coverage and other systems: health and social protection systems. Our study also concluded that one study, that of the World Bank, evaluated the governance of basic health coverage. This reflection will be useful for all decision-makers who want to assess the governance of their health care system, provided that it is adapted to the country context. [Ethiop. J. Health Dev. 2020; 34(3): 217-225] Key words: Governance, social security, health insurance, basic health coverag

Identifying Factors Contributing Towards Information Security Maturity in an Organization

Information security capability maturity (ISCM) is a journey towards accurate alignment of business and security objectives, security systems, processes, and tasks integrated with business-enabled IT systems, security enabled organizational culture and decision making, and measurements and continuous improvements of controls and governance comprising security policies, processes, operating procedures, tasks, monitoring, and reporting. Information security capability maturity may be achieved in five levels: performing but ad-hoc, managed, defined, quantitatively governed, and optimized. These five levels need to be achieved in the capability areas of information integrity, information systems assurance, business enablement, security processes, security program management, competency of security team, security consciousness in employees, and security leadership. These areas of capabilities lead to achievement of technology trustworthiness of security controls, integrated security, and security guardianship throughout the enterprise, which are primary capability domains for achieving maturity of information security capability in an organization. There are many factors influencing the areas of capabilities and the capability domains for achieving information security capability maturity. However, there is little existing study done on identifying the factors that contribute to achievement of the highest level of information security capability maturity (optimized) in an organization. This research was designed to contribute to this area of research gap by identifying the factors contributing to the areas of capabilities for achieving the highest level of information security capability maturity. The factors were grouped under the eight capability areas and the three capability domains in the form of an initial structural construct. This research was designed to collect data on all the factors using an online structured questionnaire and analyzing the reliability and validity of the initial structural construct following the methods of principal components analysis (PCA), Cronbach Alpha reliability analysis, confirmatory factor analysis (CFA), and structural equation modeling. A number of multivariate statistical tests were conducted on the data collected regarding the factors to achieve an optimal model reflecting statistical significance, reliability, and validity. The research was conducted in four phases: expert panel and pilot study (first phase), principal component analysis (PCA) and reliability analysis (RA) of the factor scales (second phase), confirmatory factor analysis (CFA) using LISREL (third phase), and structural equation modeling (SEM) using LISREL (fourth phase). The final model subsequent to completing the four phases reflected acceptance or rejection of the eleven hypotheses defined in the initial structural construct of this study. The final optimized model was obtained with the most significant factors loading on the capability areas of information integrity, information security assurance, business enablement, security process maturity, security program management, competency of security team, security conscious employees, and security leadership, including the most significant factors loading the three capability domains of security technology trustworthiness, security integration, and security guardianship. All the eleven hypotheses were accepted as part of the optimal structural construct of the final model. The model provides a complex integrated framework of information security maturity requiring multi-functional advancements and maturity in processes, people, and technology, and organized security program management and communications fully integrated with the business programs and communications. Information security maturity is concluded as a complex function of multiple maturity programs in an organization leading to organized governance structures, multiple maturity programs, leadership, security consciousness, and risk-aware culture of employees

Access denied? Managing access to the Web within the NHS in England: technology, risk, culture, policy and practice

1. Introduction The research project as a whole examined the factors that bear on the accessibility of online published professional information within the National Health Service (NHS) in England, and the implications that these have for library and information services. The overall aim of this study was to investigate the apparent disjunction between stated policy regarding evidence-based practice and professional learning, and actual IT (information technology) strategy, service delivery and security practice at NHS trust level, from both technical and organisational perspectives. The presentation discusses the following specific issues: 1) the nature and extent of restrictions on access to websites and web applications within NHS organisations; 2) the impacts of these on professional information seeking and working practices; 3) the technical and organisational factors which bear on how web security is implemented within NHS trusts, in relation to overall organisational priorities and strategies. 2. Methods The study adopted a qualitative case study method, taking three NHS trusts of different types for its setting. The lead researcher [CE] conducted a total of 40 semi-structured interviews with library and workforce development staff, IT managers, information governance managers, and clinical professionals. Interview findings are set in the context of the trusts’ and other relevant reports, policies, strategies and standards. 3. Results Staff in the teaching hospital trust experienced the greatest number of obstacles to information seeking caused by the blocking of legitimate websites (‘false positives’). This affected the work of clinical educators in particular. Much decision-making in relation to information security issues seemed to be tacit. IT security managers reported not having the time to evaluate the effectiveness or impact of the web security devices they deploy on NHS networks. They were likely to accept the default configurations and categorisations of content offered by the suppliers. The focus of their attention appeared to be on the potential security risks posed by ‘recreational’/non-work use of the web. 4. Conclusions Little attention has been paid within the NHS information systems community to the issue of access to legitimate published information. The focus is heavily on the secure and appropriate management of clinical records and systems. Community-based staff appeared to be more likely (than their hospital-based colleagues) to be significantly disadvantaged by restrictive access control policies

The role of infectious disease impact in informing decision-making for animal health management in aquaculture systems in Bangladesh

The aquaculture sector in Bangladesh is an important employer and a significant source of foreign exchange. In addition, it contributes significantly to food security due to the role of fish in peoples’ diets, the most important source of protein and micronutrients. However, infectious diseases represent an important barrier to sector development due to economic losses and vulnerability of smallholders. The aim of this study was to gain an overview of the impact of infectious diseases in the aquaculture sector, and to assess the usefulness and use of impact studies in decision making for animal health management and biosecurity governance in Bangladesh. A review of scientific and grey literature on infectious disease impact in different aquaculture systems was conducted and their methodologies and findings summarised. Subsequently, interviews with 28 stakeholders from the private and public sector were conducted to enquire about decision-making structures in animal health management. The data were analysed using the framework method to allow the development of themes, by using the information, experiences and opinions inductively obtained from interviewees, deductively through the reviewed literature. Results showed a substantial socio-economic impact of infectious diseases. The numerous stakeholders involved in the decision-making process explained that key barriers to effective aquaculture health management were insufficient resources to investigate and tackle infectious aquatic animal diseases, a dearth of legislation and capacity for disease surveillance, a reliance on reactive response, and a lack of impact and evidence-based approaches for prioritising problem-solving, commonly based on anecdotal evidence. Furthermore, communication among the multiple stakeholders involved was reported to be weak. This complex situation requires a multi-level response, which should span from strengthening the knowledge of farmers and professionals in the field to the improvement of surveillance and diagnostic systems. Improved systems along with evidence on disease impact could inform the prioritisation of diseases and resource allocation for disease control in Bangladesh. Further, this evidence needs to be used to advise decisions to have a true value, for which establishing and strengthening communication pathways and processes is critical to make systematic use of the information and improve animal health management. In the light of future threats to Bangladesh such as climate change, increasing population density and demand for animal source foods, it is crucial to strengthen animal health management systems to reduce livelihoods vulnerability, food insecurity and the likelihood of disease emergence

Governance and information governance: some ethical considerations within an expanding information society

Governance and information governance ought to be an integral part of any government or organisations information and business strategy. More than ever before information and knowledge can be produced, exchanged, shared and communicated through many different mediums. Whilst sharing information and knowledge provides many benefits it also provides many challenges and risks to governments, global organisations and the individual citizen. Information governance is one element of a governance and compliance programme, but an increasingly important one, because many regulations apply to how information is managed and protected from theft and abuse, much of which resides with external agencies usually outside the control of the individual citizen. This paper explores some of the compliance and quality issues within governance and information governance including those ethical concerns as related to individual citizens and multiple stakeholders engaged directly or indirectly in the governance process

International Guidelines for Securing Sustainable Small-scale Fisheries

The 'Zero Draft' of the International Guidelines for Securing Sustainable Small-scale Fisheries(SSF Guidelines) has been prepared based on the outcomes of the extensive consultation process that has taken place during the last few years. This preliminary draft text draws in particular on the Discussion Document: Towards Voluntary Guidelines on Securing Sustainable Small-scale Fisheries–prepared as a stock-taking exercise by the FAO SSF Guidelines Secretariat in July 2011 and the contributions to and the outcomes of the FAO Workshop on International Guidelines for Securing Sustainable Small-scale Fisheries held on 7-10 February 2012 in FAO, Rome. It has been prepared to stimulate further consultations among all concerned parties. The outcomes of these additional consultations will provide guidance to the FAO Secretariat when preparing the text of the SSF Guidelines that will be submitted as a draft to the formal inter-governmental negotiation process tentatively scheduled for May 2013