Does Agency Size Affect IS Security Compliance for e-Government?

Security compliance has now become a major information systems management problem thanks to government regulations. Organizations are now developing methodologies and tools to assess compliance of Information Systems (IS) security. The research outlined in this paper is part of a longitudinal action research study which aims to help inform and improve security within Whole of Government (WoG). This paper examines the different effects of organisational size on IS security compliance within government organisations and how the adoption of security controls differed across small, medium and large government agencies. This paper identifies differences across government agencies rather than assuming that IS security compliance within e-government would be the same for different sized agencies. The approach utilised within this study may be extended to assess compliance with regulations in small, medium and large, multi-unit organizations in other sectors as well as government

A compliance based framework for information security in e-government in Oman

The development of electronic government (e-government) in Oman has created new means for public organizations to deliver services, engage citizens, and improve workflows between public organizations. Such a development has opened the possibility that critical information in e-government systems can be exposed. This directly affects the confidence and trust of e-government stakeholders. Such confidence and trust are important to the continued development of e-government in Oman. As a result, the security of information has become a critical issue that needs to be adequately addressed in e-government development. This research aims to develop a compliance-based framework for information security in public organizations in e-government development in Oman. Specifically it aims to (a) identify the critical factors for effective information security compliance in public organizations in Oman, (b) develop a framework for information security compliance, and (c) provide the Omani government with some recommendations for effective information security compliance in public organizations for e-government development. To fulfill these research aims, a mixed-methods methodology is used. A conceptual framework is developed by hypothesizing the critical factors for effective information security compliance in organizations. With the use of survey data collected from public organizations in Oman, the conceptual framework is tested and validated using structural equation modeling. To further validate the identified critical factors, thematic analysis is carried out on the semi-structured interview data collected simultaneously. The quantitative findings and the qualitative findings are triangulated for better understanding information security compliance in public organizations for e-government development in Oman. The study reveals that management commitment, awareness and training, accountability, organizational loyalty, audit and monitoring, process integration, technology capability, technology compatibility, technology reliability, legal pressures, and social pressures are critical for effective information security compliance in public organizations for e-government development in Oman. Based on the critical factors identified, a new framework for information security compliance is developed. Such a framework consists of four main dimensions including (a) organizational security culture, (b) information security processes, (c) security technologies, and (d) environment pressures. This research contributes to the e-government and information security compliance research from both the theoretical and practical perspectives. From the theoretical perspective, this research demonstrates the applicability of socio-organizational factors for influencing information security compliance in public organizations for e-government development. From the practical perspective, this research provides an in-depth investigation of the critical factors for information security compliance, which provides the Omani government with useful guidelines on how to ensure information security in public organizations for e-government development. Such guidelines are also useful for other developing countries in their e-government development endeavors

ICT Governance in Local Government – Proposals for Information Security

In 2012 the Portuguese government has proposed the “Plano global estratégico de racionalização e redução de custos nas TIC, na Administração Pública” with the objective of improving the public service, at a lower cost. This plan is composed of a set of five important actions to be applied to Information and Communications Technology (ICT) resources in public administration: i) improvement of government mechanisms; ii) cost reduction; iii) use of ICT to promote change and government modernization; iv) implementation of common ICT solutions; v) stimulating economic growth. In the scope of information security, this plan indicates: i) ICT rationalization, organization and management; ii) information systems and technologies architecture, standards and guidelines; iii) definition and implementation of a national information security strategy and, iv) definition and implementation of sectorial action plans to rationalize ICT. This paper aims to address some of these actions in context of information assurance and security specifically associated with local government. To achieve this goal, the creation of a “Governance Information Technologies Structure” (GEITS) is proposed. This proposal is based on existing good practices at a global level in the government and management of ICT, ICT (Information Technology) and security of information systems. Integrating ICT management in local governments as well as recognizing the role of the business partners in solutions achievement and new areas development to create public value stands for the supported transparency in the use of rules and frameworks internationally recognized. Thus, appreciating ICT as business partners and a source of value creation rather than purely as a source of support to the business itself is the intention. The effect of this appreciation will be the integration of ICT management into the local governance. The proposal for implementing the GEITS in the municipality is based on the CobiT 5 implementation guide. This guide also directs the implementation program and the method for incorporating each phase of the continuous improvement process, including how to use other tools such as ITIL or ISO/IEC 27000. A case study of its use appears in Appendix D. Example Business Case of the CobiT 5 implementation guide as well as the blueprints provided by the guide and the framework itself has led to some conclusions, such as i) the slowness of each program interaction; ii) the need to mitigate some risks, for example, the need of executive support; iii) the identification of relevant activities in the field of information security and assurance; iv) the security of the information is guaranteed according to the risk assumed thereby ensuring optimized resources with prioritization (through the GEITS) based on business cases; v) promote the desire to act when facing the results of the local government/processes capacity analysis. From an information security and assurance perspective, a series of relevant activities have been identified referring directly to risk management, information security and data security, namely: - To ensure that security incidents are managed properly the local government needs to assess suppliers for compliance with existing policies guaranteeing information security conditions and compliance with contracts and Service Level Agreement (SLA). - To minimize or even eliminate the impact for local government or stakeholders is essential the use of a methodology based on risk analysis to improve security incident. - The need for an Information Security Management System (ISMS) to provide a coordinated information security perspective for the local government and to enable the implementation of controls in a coherent manner. Information security is achieved through the implementation of an adequate set of controls, including policies, processes, procedures and organizational structures. - Any organization must effectively prevent malicious manipulation of sensitive data. - Checking the process or the implemented controls ensures compliance with internal and external requirements. It is important to explain what an EGTIC is and how it contributes to better public governance. It is also important leveling the training proposals of solutions, systems or processes through the use of a strategic justification with comparable parameters, allowing the prioritization of investment. Frequently the assessment of the ICT services and information systems in the government is done ad hoc or uses external auditors, the work presented in this paper shows that the use of CobiT 5 tools to carry out this capacity analysis is quite effective. This opens a door to the first phase of implementation of EGTIC, creating the desire to act

Partly Cloudy, Scattered Clients: Cloud Implementation in the Federal Government

Since the issuance of a federal mandate in 2010 requiring federal government agencies in the United States of America to immediately shift to a “Cloud First” policy, agencies have struggled to adopt cloud computing. Previous research has examined hindrances to cloud computing adoption across industries in the private sector (Raza et al., 2015, Park and Ryoo, 2012, and Bhattacherjee and Park, 2012). While this research provides important insights on cloud computing adoption in the private sector, it devotes scant attention to challenges of cloud computing adoption in the federal government. This study seeks to fill this gap by examining the roles of Top Management Support and Information Security Awareness on cloud computing implementation success in the federal government. Institutional theory serves as the theoretical framework for this study

Innovative public governance through cloud computing: Information privacy, business models and performance measurement challenges

Purpose: The purpose of this paper is to identify and analyze challenges and to discuss proposed solutions for innovative public governance through cloud computing. Innovative technologies, such as federation of services and cloud computing, can greatly contribute to the provision of e-government services, through scaleable and flexible systems. Furthermore, they can facilitate in reducing costs and overcoming public information segmentation. Nonetheless, when public agencies use these technologies, they encounter several associated organizational and technical changes, as well as significant challenges. Design/methodology/approach: We followed a multidisciplinary perspective (social, behavioral, business and technical) and conducted a conceptual analysis for analyzing the associated challenges. We conducted focus group interviews in two countries for evaluating the performance models that resulted from the conceptual analysis. Findings: This study identifies and analyzes several challenges that may emerge while adopting innovative technologies for public governance and e-government services. Furthermore, it presents suggested solutions deriving from the experience of designing a related platform for public governance, including issues of privacy requirements, proposed business models and key performance indicators for public services on cloud computing. Research limitations/implications: The challenges and solutions discussed are based on the experience gained by designing one platform. However, we rely on issues and challenges collected from four countries. Practical implications: The identification of challenges for innovative design of e-government services through a central portal in Europe and using service federation is expected to inform practitioners in different roles about significant changes across multiple levels that are implied and may accelerate the challenges' resolution. Originality/value: This is the first study that discusses from multiple perspectives and through empirical investigation the challenges to realize public governance through innovative technologies. The results emerge from an actual portal that will function at a European level. © Emerald Group Publishing Limited

The Federal Information Security Management Act of 2002: A Potemkin Village

Due to the daunting possibilities of cyberwarfare, and the ease with which cyberattacks may be conducted, the United Nations has warned that the next world war could be initiated through worldwide cyberattacks between countries. In response to the growing threat of cyberwarfare and the increasing importance of information security, Congress passed the Federal Information Security Management Act of 2002 (FISMA). FISMA recognizes the importance of information security to the national economic and security interests of the United States. However, this Note argues that FISMA has failed to significantly bolster information security, primarily because FISMA treats information security as a technological problem and not an economic problem. This Note analyzes existing proposals to incentivize heightened software quality assurance, and proposes a new solution designed to strengthen federal information security in light of the failings of FISMA and the trappings of Congress’s 2001 amendment to the Computer Fraud and Abuse Act

Secure web application development and global regulation

The World Wide Web (WWW) has been predominantly responsible for instigating radical paradigm transformations in today’s global information rich civilizations. Many societies have basic operational economical components that depend on Web enabled systems in order to support daily commercial activities. The acceptance of E-commerce as a valid channel for conducting business coupled with societal integration and dependence on Web enabled technology has instigated the development of local, national, and global efforts to regulate criminal activities on the World Wide Web. This paper makes two contributions. The first contribution is the high-level review of the United States and United Kingdom legislation that has developed from the escalation and integration of the World Wide Web into society. The second contribution is the support for the idea that legislative compatibility, in concert with an organization’s policy compatibility, needs to be acknowledged in secure Web application development methodologies

Developing a Conceptual Framework for Cloud Security Assurance

Postprin