A Proposed Best-practice Framework for Information Security Governance

Ghada Gashgari, Robert Walters, Gary Wills

Abstract

Information security (IS) must be integrated into corporate governance and regarded as a governance challenge that includes reporting, accountability and adequate risk management. Good implementation of information security governance (ISG) delivers strategic alignment, risk management, resource management, performance measurement and value delivery. Several publications have addressed this field. However, the critical success factors (CSFs) that ensure the improvement from a high level across the essential governance areas for effective governance, have not been identified. Based on the literature review, this research identifies seventeen initial CSFs for ISG that affect the long-term success of organisations. For clear high-level guidance of ISG practices, a comprehensive set of ISG rules has been developed based on the principles of ISO/IEC 27014 and COBIT for IS. A best-practice framework for ISG has been proposed across the essential governance areas for effective governance of IS that support the organisations to survive and thrive.

References

  1. Abu-Musa, A. (2010). Information Security Governance in Saudi Organizations: an empirical Study, Information Management & Computer Security, 18, 226-276.
  2. Allen, J. (2005). Governing for Enterprise Security, Technical Note. Pittsburgh.
  3. Allen, J. H. (2013). Security Is Not Just a Technical Issue, US-CERT: Build Security In.
  4. Bobbert, Y., & Mulder, H. (2015). Governance Practices and Critical Success factors suitable for Business Information Security, in International Conference on Computational Intelligence and Communication Networks.
  5. Bowen, P., Hash, Joan; , & Wilson, M. (2006). Information Security Handbook?: A Guide for Managers. National Institute of Standards and Technology (NIST).
  6. Bullen, C. V., & Rockart, J. F. (1981). A primer on critical success factors, The Rise of Management Computing.
  7. de Oliveira Alves, G., de Costa Carmo, L., & de Almeida, A. (2006). Enterprise Security Governance, 0(C), 71- 80.
  8. Eloff, M. M., & von Solms, S. H. (2000). Information Security Management: A Hierarchical Framework for Various Approaches, Computers & Security, 19(3), 243-256.
  9. Entrust (2004). An Essential Element of Corporate Governance, (April).
  10. ISACA (2012). COBIT 5 for Information Security. IL, USA. Available at: www.isaca.org/cobit5info-sec.
  11. ISO/IEC 27014. (2013). Governance of Information Security. Geneva: International Organization for Standardization and the International Electrotechnical Commission.
  12. ITGI. (2003). Board Briefing on IT Governance (2nd ed).
  13. ITGI. (2006). Information Security Governance: Guidance for Boards of Directors and Executive Management (2nd ed.). IT Governance Institute.
  14. Johnston, A. C. & Hale, R. (2009). Improved Security Through Information Security Governance, Communications of the ACM, 52(1), 126.
  15. Lainhart, J. W. (2001) An IT Assurance Framework for the Future, The Ohio CPA Journal.
  16. Love, P., Reinhard, J., Schwab, A. J. and Spafford, G. (2010). GTAG Information Security Governance, The Inistitute of Internal Auditors, 134.
  17. Mears, L., & Von Solms, R. (2004). Corporate Information Security Governance?: A Holistic Approach.
  18. Moulton, R., & Coles, R. S. (2003). Applying information security governance, Computers & Security, 22(7), 580-584.
  19. National Cyber Security Summit Task Force (2004). Information Security Governance?: a Call To Action, Coroprate Governance Report.
  20. Paul Williams, A. (2001). Information Security Governance, Information Security Technical Report, 6(3), 60-70.
  21. Rastogi, R., & von Solms, R. (2006). Information Security Governance-A Re-Definition, Security Management, Integrity, and Internal Control in Information Systems, 193, 223-236.
  22. Rockart, J., & Van Bullen, C. (1981). A Primer on Critical Success Factors, Center for Information Systems Research, Sloan School of Management, MIT, Cambridge, MA, (February 1981).
  23. von Solms, B. (2001). Corporate governance and information security, Computers & Security, 20, 215- 218.
  24. von Solms, R., & von Solms, S. H. (Basie). (2006). Information Security Governance: A model based on the Direct-Control Cycle, Computers and Security, 25(6), 408-412.
  25. von Solms, S. H., & von Solms, R. (2008). Information Security Governance. Johannesburg: Springer.
  26. Weill, P., & Ross, J. (2004.) IT Governance, How Performers Manage IT Decision Rights for Superior Results. Harvard Business Press.
  27. Westby, J., & Allen, J. (2007). Governing for Enterprise Security (GES) Implementation Guide, Software Engineering Institute, CERT, (August), 1-17.
Download


Paper Citation


in Harvard Style

Gashgari G., Walters R. and Wills G. (2017). A Proposed Best-practice Framework for Information Security Governance . In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS, ISBN 978-989-758-245-5, pages 295-301. DOI: 10.5220/0006303102950301


in Bibtex Style

@conference{iotbds17,
author={Ghada Gashgari and Robert Walters and Gary Wills},
title={A Proposed Best-practice Framework for Information Security Governance},
booktitle={Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS,},
year={2017},
pages={295-301},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006303102950301},
isbn={978-989-758-245-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS,
TI - A Proposed Best-practice Framework for Information Security Governance
SN - 978-989-758-245-5
AU - Gashgari G.
AU - Walters R.
AU - Wills G.
PY - 2017
SP - 295
EP - 301
DO - 10.5220/0006303102950301