Managing IT Security Relationships within Enterprise Control Frameworks

Managing IT Security Relationships within Enterprise Control Frameworks

Brian Cusack (AUT University, New Zealand)
DOI: 10.4018/978-1-60566-008-0.ch010
OnDemand PDF Download:


Security is a subprocess that affects all processes within an organization structure. The control frameworks of CobiT and ITIL provide a mapping of organizational roles from the capital interest at the highest level, through to the implementation level in an enterprise system. Both control frameworks provide varying capability for control at different levels in an organization and leave the problem of making control functional to the managerial layer. In this chapter the security process is mapped from two control frameworks at the strategic layer and the issue of effective management tactics discussed from the theoretical structures within the problem area. No attempt is made to transgress theory into practice.
Chapter Preview


Security is a subprocess that impacts with different degrees on all processes within an organization structure. A security strategy is often described as defense in depth and conveys a metaphorical image of structured rigidity in the face of assessed risks. An effective business security strategy has elements of defense in depth theory but also other philosophical insights that include flexibility and rapid response. In the CobiT control framework security is defined as “Ensure Systems Security” (Delivery & Support (DS 5)) (ITGI, 2007a). The goal of security is to ensure systems security “to safe guard information against unauthorized use, disclosure or modification, damage or loss.” In the ITIL control framework security is described as “Security Management” and has three distinct roles associated with the management (van Bon, 2004b). Its objective is to protect “the value of information in terms of confidentiality, integrity and availability”. Both of these control frameworks acknowledge defense in depth and in the ITIL security management guidelines an additional discussion of flexibility is found: “While it is important to protect information assets with traditional stronghold / fortress approaches it has become equally important to have a skirmish capability when it comes to skirmish events. … The organization must have the capability to rapidly put resources on the ground where trouble is before that trouble has a chance to spiral out of control” (van Bon, 2004a, pp. 181-183).

Protecting information strategically is consequently more than establishing defense in depth and related to strategic positioning and repositioning. Positioning occurs within the enterprise subsystem and in relation to the enterprise system as a whole. In the control frameworks of CobiT and ITIL careful specification of the security process is made and elaboration of the interrelation of the process to others. In CobiT the security process (defined as DS 5; see ITGI, 2007a; 2007b; 2007c) has three input processes, direct input to nine output processes, and influence on “other IT processes”. Similarly in the ITIL control framework security management has relationships with eleven other management processes. The ITIL framework is more explicit as to the nature of the relationship and the consequence of the security process than is CobiT and the CobiT management guidelines. The importance of the security process is emphasized in both control frameworks in relation to the outcomes for the enterprise system. It would appear then that an understanding of process management for successful process outputs is more than the systematic control of one process and as it is acknowledged in the literature, security management has an enterprise wide (across all processes) mandate (Siponen, 2000). It is contended that the current elaboration of the enterprise wide management is lacking in specification for variation in process relationships, variation in impacts, and guidelines for flexible positioning. Analysis and clarification of variation can add knowledge to what is already advocated in the control literature (ITGI, 2005a; Straub & Welke, 1998).

Complete Chapter List

Search this Book:
Table of Contents
Wim Van Grembergen
Aileen Cater-Steel
Aileen Cater-Steel
Chapter 1
Sherrena Buckby, Peter Best, Jenny Stewart
This chapter introduces current and prior IT governance literature across five key focus areas being strategic alignment of business and IT systems... Sample PDF
The Current State of Information Technology Governance Literature
Chapter 2
Junghoon Lee, Changjin Lee
Domestic and global companies are increasingly using information and communication technologies as a means of delivering their strategic visions and... Sample PDF
IT Governance-Based IT Strategy and Management: Literature Review and Future Research Directions
Chapter 3
David Musson
This chapter reviews the IT governance literature. It proposes that there are three different concepts that are grouped together as IT governance.... Sample PDF
IT Governance: A Critical Review of the Literature
Chapter 4
Jyotirmoyee Bhattacharjya, Vanessa Chang
This chapter introduces key IT governance concepts and industry standards and explores their adoption and implementation in the higher education... Sample PDF
Adoption and Implementation of IT Governance: Cases from Australian Higher Education
Chapter 5
Lynne Gerke, Gail Ridley
This chapter examines the potential to use an audit program based on the Control Objectives for Information and related Technologies (CobiT)... Sample PDF
Tailoring CobiT for Public Sector IT Audit: An Australian Case Study
Chapter 6
Tony C. Shan, Winnie W. Hua
This chapter defines a methodical approach, named Comprehensive Architecture Rationalization and Engineering (CARE), to effectively manage the... Sample PDF
Comprehensive Architecture Rationalization and Engineering
Chapter 7
Junghoon Lee, Jungwoo Lee, Ja Young Lee
Research has recently begun to place greater emphasis on the strategic application of IT in seeking to integrate firms’ IT infrastructures and... Sample PDF
A Comparative Case Study of Three Korean Firms: Applying an IT Governance Framework
Chapter 8
Breanna O’Donohue, Graeme Pye, Matthew J. Warren
This chapter focuses upon the Australian Standard for the Corporate Governance of Information and Communication Technology (ICT) AS8015 (Standards... Sample PDF
The Impact of ICT Governance within Australian Companies
Chapter 9
Mark Toleman, Aileen Cater-Steel, Brian Kissell, Rob Chown, Michael Thompson
Acting upon the recommendations of a review of information and communications technology (ICT) governance and services at USQ, a major restructure... Sample PDF
Improving ICT Governance: A Radical Restructure Using CobiT and ITIL
Chapter 10
Brian Cusack
Security is a subprocess that affects all processes within an organization structure. The control frameworks of CobiT and ITIL provide a mapping of... Sample PDF
Managing IT Security Relationships within Enterprise Control Frameworks
Chapter 11
Michael A. Borth, Randy V. Bradley
This chapter discusses the overall importance of both corporate and IT governance, and demonstrates that IT governance is a very important... Sample PDF
Unexplored Linkages between Corporate Governance and IT Governance: An Evaluation and Call to Research
Chapter 12
Alea Fairchild, Martin Smits, Piet Ribbers, Erik van Geel, Geert Snijder
This document summarizes the initial findings of the I-Fit research project that started in August 2006 as a joint activity of a regional ICT... Sample PDF
I-Fit: Optimizing the Fit between Business and IT
Chapter 13
Tobias Kollmann, Matthias Häsel
This chapter articulates the knowledge and skills required by IT professionals in young Internet-based firms. Building on the general IT governance... Sample PDF
Competence of Information Technology Professionals in Internet-Based Ventures
Chapter 14
G. Philip Rogers
This chapter assesses what role maturity models can play in enterprise IT governance. Frameworks that are well known in the IT industry, such as the... Sample PDF
The Role of Maturity Models in IT Governance: A Comparison of the Major Models and Their Potential Benefits to the Enterprise
Chapter 15
Yael Dubinsky, Avi Yaeli, Yishai Feldman, Emmanuel Zarpas, Gil Nechushtai
Governance is the exercise of control and direction over a subject such as a society, an organization, processes, or artifacts, by using laws and... Sample PDF
Governance of Software Development: The Transition to Agile Scenario
Chapter 16
Anne C. Rouse
This chapter considers the governance issues raised by the increasing use of external parties to supply IT resources (including packaged enterprise... Sample PDF
The Governance Implications When it is Outsourced
Chapter 17
Muralidharan Ramakrishnan
This chapter is intended primarily for managers who are preparing to implement portfolio management concepts in an organization and students of IT... Sample PDF
IT Portfolio Management: A Pragmatic Approach to Implement IT Governance
Chapter 18
Andrew Dowse, Edward Lewis
With the cost, complexity and risk associated with IT systems, the approach to IT governance and service management in many organizations is to... Sample PDF
Applying Organizational Theories to Realize Adaptive IT Governance and Service Management
Chapter 19
Jon Iden
This chapter presents and analyzes a real life ITIL project, and it is based on a longitudinal case study. The purpose is to illustrate how the ITIL... Sample PDF
Implementing IT Service Management: Lessons Learned from a University IT Department
Chapter 20
Neil McBride
This chapter describes a suggested model for developing a service strategy within IT services. It considers the context, the organization of IT... Sample PDF
A Model for IT Service Strategy
Chapter 21
Manuel Mora, Ovsei Gelman, Rory O’Connor, Francisco Alvarez, Jorge Macías-Luévano
This chapter develops a descriptive-conceptual overview of the main models and standards of processes formulated in the systems engineering (SE)... Sample PDF
An Overview of Models and Standards of Processes in the SE, SwE, and IS Disciplines
Chapter 22
Claus-Peter Praeg, Dieter Spath
This chapter introduces an IT-Service management framework for the use of quality management concepts in the context of the life cycle phases of... Sample PDF
Perspectives of IT-Service Quality Management: A Concept for Life Cycle Based Quality Management of IT-Services
Chapter 23
Chee Ing Tiong, Aileen Cater-Steel, Wui-Gee Tan
This study reviews literature related to financial metrics that organizations could use in measuring the return on investment from their adoption of... Sample PDF
Measuring Return on Investment from Implementing ITIL: A Review of the Literature
Chapter 24
Dirk Malzahn
This chapter describes how models for software development and service delivery can be integrated into a common approach to reach an integrated... Sample PDF
Integrated Product Life Cycle Management for Software: CMMI1, SPICE, and ISO/IEC 20000
About the Contributors