A process model for implementing information systems security governance

Purpose; ; ; ; ; The frequent and increasingly potent cyber-attacks because of lack of an optimal mix of technical as well as non-technical IT controls has led to increased adoption of security governance controls by organizations. The purpose of this paper, thus, is to construct and empirically validate an information security governance (ISG) process model through the plan “do “check “act (PDCA) cycle model of Deming.; ; ; ; ; Design/methodology/approach; ; ; ; ; This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the ISG domain in United Arab Emirates (UAE) to validate the theoretical model.; ; ; ; ; Findings; ; ; ; ; The findings of this paper suggest the primacy of the PDCA Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle.; ; ; ; ; Originality/value; ; ; ; ; The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps and justification of these factors in the ISG implementation process

A process model for implementing information systems security governance.

Purpose: The frequent and increasingly potent cyber-attacks due to lack of an optimal mix of technical as well as non-technical IT controls, has led to increased adoption of security governance controls by organizations. The paper thus seeks to construct and empirically validate an information security governance process model through the Plan-Do-Check-Act cycle model of Deming. Design/methodology/approach: This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the information security governance (ISG) domain in United Arab Emirates to validate the theoretical model. Findings: Our findings suggest the primacy of the Plan-Do-Check-Act Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27 K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle. Originality/value: The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps, and justification of these factors in the ISG implementation process

Enhancing the governance of information security in developing countries: the case of Zanzibar

A thesis submitted to the University of Bedfordshire, in partial fulfilment of the requirements of the degree of Doctor of PhilosophyOrganisations in the developing countries need to protect their information assets (IA) in an optimal way. This thesis is based upon the argument that in order to achieve fully effective information security management (ISM) strategy, it is essential to look at information security in a socio-technical context, i.e. the cultural, ethical, moral, legal dimensions, tools, devices and techniques. The motivation for this study originated from the concern of social chaos, which results from ineffective information security practices in organisations in the developing nations. The present strategies were developed for organisations in countries where culture is different to culture of the developing world. Culture has been pointed out as an important factor of human behaviour. This research is trying to enhance information security culture in the context of Zanzibar by integrating both social and technical issues. The theoretical foundation for this research is based on cultural theories and the theory of semiotics. In particular, the study utilised the GLOBE Project (House et al, 2004), Competing Values Framework (Quinn and Cameron; 1983) and Semiotic Framework (Liu, 2000). These studies guide the cultural study and the semiotics study. The research seeks to better understand how culture impact the governance of information security and develop a framework that enhances the governance of information security in non-profit organisations. ISO/IEC 27002 best practices in information security management provided technical guidance in this work. The major findings include lack of benchmarking in the governance of information security. Cultural issues impact the governance of information security. Drawing the evidence from the case study a framework for information security culture was proposed. In addition, a novel process model for information security analysis based on semiotics was developed. The process model and the framework integrated both social and technical issues and could be implemented in any non-profit organisation operating within a societal context with similar cultural feature as Zanzibar. The framework was evaluated using this process model developed in this research. The evaluated framework provides opportunities for future research in this area

Effective information assurance with risk management

Today's businesses base their operation on their IT infrastructure, which consequently demands that it should be protected accordingly. Nevertheless, surveys tend to indicate that the number of IT security incidents is increasing, resulting in significant losses for the organisations concerned. Leading in poor security practices, and therefore frequent victims of related security incidents, are Small and Medium Enterprises (SMEs). Even though there are a number of solutions, ranging from baseline guidelines to a detailed Risk Assessment (which can be followed to guide organisations through systematically selecting appropriate controls and practices to properly secure their networked assets), evidence suggests that these are not being employed by SMEs. Constraints such as lack of budget, security personnel and awareness are amongst the factors that are deterring SMEs from adopting such solutions, and therefore contributing to their continued problem with security incidents. This thesis specifically targets the problem of security risk assessment within SME environments. Following an examination of the aforementioned constraints, the investigation considers the existing solutions, establishing the reasons that they are not appropriate for SME users. The research identifies that SMEs are in need of a solution that represents a progression of current guidelines, but without being as complicated as existing forms of Risk Analysis. Therefore a new methodology is designed, known as PRAM (Profile-based Risk Analysis and Management), which enables SMEs to analyse and manage their risks in a way that is simple to use and understand, as well as providing economic considerations on threats, their likelihood, effect and the spending required to reduce them to an acceptable level. The methodology is then implemented within a working prototype, which is evaluated using a series of test scenarios. These scenarios are also used as the basis for evaluating existing SME-oriented Risk Analysis solutions, and the findings determine that the PRAM approach is able to deliver a more comprehensive solution. In addition, an evaluation of the PRAM prototype by a series of end-users suggests that it also succeeds in providing a more user-friendly solution than the current alternatives. Overall, this thesis presents a solution that can be adopted by SMEs lacking in-house security expertise. It can assist them in understanding the threats they are under, while at the same time presenting appropriate information to enable management to evaluate their organisation's current IT security situation and select appropriate countermeasures.A. G. Leventis foundatio

A model for legal compliance in the South African banking sector : an information security perspective

In the past, many organisations used to keep their information on paper, which resulted in the loss of important information. In today’s knowledge era the information super-highway facilitates highly connected electronic environments where business applications can communicate on an intra- as well as inter-organizational level. As business expanded more into the cyber-world, so did the need to protect the information they have. Technology advances did not only bring benefits, it also increased the vulnerability of companies’ information. Information, the lifeblood of an organization, must be protected from threats such as hackers and fraud, amongst others. In the highly regulated financial sector, the protection of information is not only a best practice, but a legal obligation carrying penalties for non-compliance. From a positive aspect, organisations can identify security controls that can help them to secure their information, with the aid of legal sources. But organisations find themselves burdened by a burgeoning number of legal sources and requirements, which require vast resources and often become unmanageable. This research focuses on finding a solution for South African banks to comply with multiple legal sources, as seen from an information security perspective

Integrating information security into corporate culture

Introduction: There are many components that are required for an organisation to be successful in its chosen field. These components vary from corporate culture, to corporate leadership, to effective protection of important assets. These and many more contribute to the success of an organisation. One component that should be a definitive part in the strategy of any organisation is information security. Information security is one of the fastest growing sub-disciplines in the Information Technology industry, indicating the importance of this field (Zylt, 2001, online). Information security is concerned with the implementation and support of control measures to protect the confidentiality, integrity and availability of electronically stored information (BS 7799-1, 1999, p 1). Information security is achieved by applying control measures that will lessen the threat, reduce the vulnerability or diminish the impact of losing an information asset. However, as a result of the fact that an increasing number of employees have access to information, the protection of information is no longer only dependent on physical and technical controls, but also, to a large extent, on the actions of employees utilising information resources. All employees have a role to play in safeguarding information and they need guidance in fulfilling these roles (Barnard, 1998, p 12). This guidance should originate from senior management, using good corporate governance practices. The effective leadership resulting from good corporate governance practices is another component in an organisation that contributes to its success (King Report, 2001, p 11). Corporate governance is defined as the exercise of power over and responsibility for corporate entities (Blackwell Publishers, 2000, online). Senior management, as part of its corporate governance duties, should encourage employees to adhere to the behaviour specified by senior management to contribute towards a successful organisation. Senior management should not dictate this behaviour, but encourage it as naturally as possible, resulting in the correct behaviour becoming part of the corporate culture. If the inner workings of organisations are explored it would be found that there are many hidden forces at work that determine how senior management and the employees relate to one another and to customers. These hidden forces are collectively called the culture of the organisation (Hagberg Consulting Group, 2002, online). Cultural assumptions in organisations grow around how people in the organisation relate to each other, but that is only a small part of what corporate culture actually covers (Schein, 1999, p 28). Corporate culture is the outcome of all the collective, taken-for-granted assumptions that a group has learned throughout history. Corporate culture is the residue of success. In other words, it is the set of procedures that senior management and employees of an organisation follow in order to be successful (Schein, 1999, p 29). Cultivating an effective corporate culture, managing an organisation using efficient corporate governance practices and protecting the valuable information assets of an organisation through an effective information security program are, individually, all important components in the success of an organisation. One of the biggest questions with regard to these three fields is the relationship that should exist between information security, corporate governance and corporate culture. In other words, what can the senior management of an organisation, using effective corporate governance practices, do to ensure that information security practices become a subconscious response in the corporate culture?

Integrating information security into corporate culture

Introduction: There are many components that are required for an organisation to be successful in its chosen field. These components vary from corporate culture, to corporate leadership, to effective protection of important assets. These and many more contribute to the success of an organisation. One component that should be a definitive part in the strategy of any organisation is information security. Information security is one of the fastest growing sub-disciplines in the Information Technology industry, indicating the importance of this field (Zylt, 2001, online). Information security is concerned with the implementation and support of control measures to protect the confidentiality, integrity and availability of electronically stored information (BS 7799-1, 1999, p 1). Information security is achieved by applying control measures that will lessen the threat, reduce the vulnerability or diminish the impact of losing an information asset. However, as a result of the fact that an increasing number of employees have access to information, the protection of information is no longer only dependent on physical and technical controls, but also, to a large extent, on the actions of employees utilising information resources. All employees have a role to play in safeguarding information and they need guidance in fulfilling these roles (Barnard, 1998, p 12). This guidance should originate from senior management, using good corporate governance practices. The effective leadership resulting from good corporate governance practices is another component in an organisation that contributes to its success (King Report, 2001, p 11). Corporate governance is defined as the exercise of power over and responsibility for corporate entities (Blackwell Publishers, 2000, online). Senior management, as part of its corporate governance duties, should encourage employees to adhere to the behaviour specified by senior management to contribute towards a successful organisation. Senior management should not dictate this behaviour, but encourage it as naturally as possible, resulting in the correct behaviour becoming part of the corporate culture. If the inner workings of organisations are explored it would be found that there are many hidden forces at work that determine how senior management and the employees relate to one another and to customers. These hidden forces are collectively called the culture of the organisation (Hagberg Consulting Group, 2002, online). Cultural assumptions in organisations grow around how people in the organisation relate to each other, but that is only a small part of what corporate culture actually covers (Schein, 1999, p 28). Corporate culture is the outcome of all the collective, taken-for-granted assumptions that a group has learned throughout history. Corporate culture is the residue of success. In other words, it is the set of procedures that senior management and employees of an organisation follow in order to be successful (Schein, 1999, p 29). Cultivating an effective corporate culture, managing an organisation using efficient corporate governance practices and protecting the valuable information assets of an organisation through an effective information security program are, individually, all important components in the success of an organisation. One of the biggest questions with regard to these three fields is the relationship that should exist between information security, corporate governance and corporate culture. In other words, what can the senior management of an organisation, using effective corporate governance practices, do to ensure that information security practices become a subconscious response in the corporate culture?

Information security service management : a service management approach to information security management

In today’s world, information and the associated Information Technology are critical assets for many organizations. Any information security breach, or compromise of these assets, can lead to serious implications for organizations that are heavily dependent on these assets. For such organizations, information security becomes vital. Organizations deploy an information security infrastructure for protecting their information assets. This infrastructure consists of policies and controls. Organizations also create an information security management system for managing information security in the organization. While some of the policies and controls are of a purely technical nature, many depend upon the actions of end-users. However, end-users are known to exhibit both compliant and noncompliant behaviours in respect of these information security policies and controls in the organization. Non-compliant information security behaviours of end-users have the potential to lead to information security breaches. Non-compliance thus needs to be controlled. The discipline of information security and its management have evolved over the years. However, the discipline has retained the technology-driven nature of its origin. In this context, the discipline has failed to adequately appreciate the role played by the end-users and the complexities of their behaviour, as it relates to information security policies and controls. The pervasive information security management philosophy is that of treating end-users as the enemy. Compliance is sought to be achieved through awareness programs, rewards, punishments and evermore strict policies and controls. This has led to a bureaucratic information security management approach. The philosophy of treating end-users as the enemy has had an adverse impact on information security in the organization. It can be said that rather than curbing non-compliance by end-users, the present-day bureaucratic approach to information security management has contributed to non-compliance. This thesis calls this the end-user crisis. This research aims at resolving this crisis by identifying an improved approach to information security management in the organization. This research has applied the service management approach to information security management. The resultant Information Security Service Management (ISSM) views end-users as assets and resources, and not as enemies. The central idea of ISSM is that the end-user is to be treated as a customer, whose needs are to be satisfied. This research presents ISSM. This research also presents the various components of ISSM to aid in its implementation in an organization